No announcement yet.

multiple outbound NAT entries

  • Filter
  • Time
  • Show
Clear All
new posts

  • multiple outbound NAT entries

    Given the following snippets of config, could you help advise on this? When i replicated something similar in Packettracer, it all seemed to work fine.. but it's being a bit weird in production.

    ip nat pool vl30 netmask type rotary
    ip nat pool vl100 netmask type rotary
    ip nat inside source list 1 pool vl30
    ip nat inside source list 2 interface GigabitEthernet0/0 overload
    ip nat inside source list 3 pool vl100

    access-list 1 remark Corporate Data NAT
    access-list 1 permit 192.168.X.0 log
    access-list 2 remark ServerSubnet
    access-list 2 permit 192.168.Y.0
    access-list 3 remark --Secure Wifi NAT--
    access-list 3 permit 192.168.Z.0

    initially the first 4 or 5 sessions took all the external addresses, then it failed over to the Overload statement.

    So the computers on x.0 subnet failed to obtain access as the ACL prevented them. I initially just added all 3 subnets to all ACLs, then thought about it overnight.

    I realised overnight I'd forgotten the type Rotary statement. Started up the next morning, removed the VL30 pool, re-added it as type rotary. All worked fine - the x.0 computers were getting the right external addresses, sh ip nat trans shows the right things.

    Then I did the same thing on VL100 pool. All still working fine.
    Computers in x.0 got NAT from VL30, computers in Z.0 got NAT from VL100. Objects in Y.0 went out the default IP. This was all as expected.

    So, I fixed the ACLs.:

    no access-list 2
    access-list 2 remark ---server subnet---
    access-list 2 permit 192.168.y.0
    no access-list 3
    access-list 3 remark --wifi subnet--
    access-list 3 permit 192.168.z.0

    suddenly, everything on pool VL30 stopped working.
    I added another line to ACL3 to allow the X.0 subnet out the VL100 pool and it's all fine for now. (objects on Y.0 are still transiting GI0/0 rather than a pool which is as intended)

    It's not my desired outcome though. we want to know that computers on the wired vlan go out one Pool and computers on wireless go out another.

    Also.. is it possible to reduce the number of available SSH sessions for management ?
    Please do show your appreciation to those who assist you by leaving Rep Point