Re: dynamic vs static nat from ccie99999 on 2012-07-30 (Ccielab archives 07/2012)

From: ccie99999 <ccie99999_at_googlemail.com>
Date: Mon, 30 Jul 2012 13:41:32 +0000

Hi Peter,

thanks for your help.

I've tried what you've suggested and it looks it's working (the static is
not taking the precedence on the dynamic one)

unluckily the static nat is not working..

this is my basic nat stuff:

(note: net 192.168.1.x must become 192.168.200.x with the static nat and
talk to 10.10.0.0)

route-map NAT permit 10
match ip address 101

access-list 101 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.1.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255

ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 pref 24

ip nat inside source route-map NAT pool OVERLAPPING

######

ip nat inside source list 100 interface Dialer0 overload

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0 0.1.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

thaaaanks again.

On Mon, Jul 30, 2012 at 12:29 PM, Peter Dervan <petesccie_at_gmail.com> wrote:

> Try making the static nat policy based, using a nat pool and route map.
> Policy would allow static nat to kick in only when traffic is destined to a
> particular destination - should fix your issue.
>
> Sent from my iPhone
>
> On 30 Jul 2012, at 13:14, ccie99999 <ccie99999_at_googlemail.com> wrote:
>
> > Hi guys,
> >
> > I feel a bit frustrated because of this simple issue:
> >
> > I've got to do a static nat and a dynamic one with the overload.
> >
> > the static one is for translating my entire lan to a specific net
> (because
> > of overlapping over ipsec).
> >
> > the dynamic one with overload is for surfing the web.
> >
> > As soon as I set up the static nat the customer looses the access to
> > internet (the dynamic one stop to work).
> >
> > I know that a static route has precedence over a dynamic but I've set up
> a
> > specific acl:
> >
> > this is my conf:
> >
> > NAT:
> > ip nat inside source list 100 interface Dialer0 overload
> > ip nat inside source static network 192.168.1.0 192.168.200.0 /24
> >
> > ACL:
> > access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
> > access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0 0.1.255.255
> > access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> >
> > I've even tried to use a route-map within the dynamic nat but still
> doesn't
> > work..
> >
> > where am I wrong?
> >
> > thanks in advance
> >
> >
> > --
> > ccie99999
> > twitter: @ccie99999
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>

-- 
ccie99999
twitter: @ccie99999
Blogs and organic groups at http://www.ccie.net

Received on Mon Jul 30 2012 - 13:41:32 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART