Try changing nat source list to a route map: ip nat inside source list 10 pool pool1 overload
access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.20.1.0 0.0.0.255 to access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.20.1.0 0.0.0.255 route-map NAT permit 10 match ip address 10 ip nat inside route-map NAT pool pool1 overload Jon -----Opprinnelig melding----- Fra: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] På vegne av Lee Starnes Sendt: 22. august 2010 21:03 Til: cisco-nsp@puck.nether.net Emne: [c-nsp] problems with NAT Hi, We are seeing a problem with NAT on a Cisco 7206VXR that has us completely stumped. The setup is working using a 1721, but when replacing that with the 7206 it does not seem to work. Current setup: Internet connection comes into a 2950 switch switch. They is handed to several devices on vlan 10 including the 1721 as a trunked vlan on its fa0.1. The 1721 also have fa0.2 on vlan 20 which is the private network. There are 2 T1s connected to this router on s0 and s1 in a multilink bundle (multilink1). Interfaces multilink1 and fa0.2 are configured as ip nat inside. fa0.1 is configured as ip nat outside. Static nat mappings to devices on the private ethernet and to the T1 network work great. Now, we replaced that 1721 with a 7206VXR and the NAT does not work correctly and the behavior is different depending upon what IOS version we load. The difference is network configuration now is that instead of using a trunk of vlans, there are individual fast ethernet ports. So fa0.1 and fa0.2 get replaced with fa0/0 and fa0/1. Here is the issue. On c7200-is-mz.123-25.bin, NAT only works on devices on the private ethernet. On c7200-is-mz.122-3.bin, NAT works on everything except for SIP traffic (udp 5060) from the multilink1. On c7200-advipservicesk9-mz.124- 2.T5.bin, NAT does not seem to work on any traffic on the multilink and only partially works on private ethernet traffic. Seems to not want to NAT some traffic and leaves it as sourced from the private IP. I have included the interface and NAT portions of the config below. There are more NAT mappings than shown, but just included the first two. Does anyone know why this would work on the 1721 and not the 7206? interface Multilink1 description T1s to office ip address 172.20.1.1 255.255.255.252 ip nat inside load-interval 30 ppp multilink ppp multilink fragment disable ppp multilink links maximum 2 ppp multilink links minimum 1 ppp multilink group 1 service-policy output adtran-VoIP-policy ! interface FastEthernet0/0 description Public internet at colo ip address y.y.y.17 255.255.255.240 ip nat outside ! interface FastEthernet0/1 description Private network at colo ip address 10.10.100.254 255.255.255.0 ip nat inside ! ip nat translation max-entries 10000 ip nat pool pool1 y.y.y.18 y.y.y.18 netmask 255.255.255.240 ip nat inside source list 10 pool pool1 overload ip nat inside source static 172.20.1.2 y.y.y.19 ip nat inside source static 10.10.100.21 y.y.y.21 ip nat inside source static tcp 10.2.2.3 443 y.y.y.51 443 extendable ip nat inside source static tcp 10.2.2.3 80 y.y.y.51 80 extendable ! access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.20.1.0 0.0.0.255 Thanks, -Lee _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/