multiple outbound NAT entries

Home Forums Networking Cisco Routers & Switches How-to multiple outbound NAT entries

Viewing 1 post (of 1 total)
  • Author

  • tehcamel

    Given the following snippets of config, could you help advise on this? When i replicated something similar in Packettracer, it all seemed to work fine.. but it’s being a bit weird in production.

    ip nat pool vl30 netmask type rotary
    ip nat pool vl100 netmask type rotary
    ip nat inside source list 1 pool vl30
    ip nat inside source list 2 interface GigabitEthernet0/0 overload
    ip nat inside source list 3 pool vl100

    access-list 1 remark Corporate Data NAT
    access-list 1 permit 192.168.X.0 log
    access-list 2 remark ServerSubnet
    access-list 2 permit 192.168.Y.0
    access-list 3 remark –Secure Wifi NAT–
    access-list 3 permit 192.168.Z.0

    initially the first 4 or 5 sessions took all the external addresses, then it failed over to the Overload statement.

    So the computers on x.0 subnet failed to obtain access as the ACL prevented them. I initially just added all 3 subnets to all ACLs, then thought about it overnight.

    I realised overnight I’d forgotten the type Rotary statement. Started up the next morning, removed the VL30 pool, re-added it as type rotary. All worked fine – the x.0 computers were getting the right external addresses, sh ip nat trans shows the right things.

    Then I did the same thing on VL100 pool. All still working fine.
    Computers in x.0 got NAT from VL30, computers in Z.0 got NAT from VL100. Objects in Y.0 went out the default IP. This was all as expected.

    So, I fixed the ACLs.:

    no access-list 2
    access-list 2 remark —server subnet—
    access-list 2 permit 192.168.y.0
    no access-list 3
    access-list 3 remark –wifi subnet–
    access-list 3 permit 192.168.z.0

    suddenly, everything on pool VL30 stopped working.
    I added another line to ACL3 to allow the X.0 subnet out the VL100 pool and it’s all fine for now. (objects on Y.0 are still transiting GI0/0 rather than a pool which is as intended)

    It’s not my desired outcome though. we want to know that computers on the wired vlan go out one Pool and computers on wireless go out another.

    Also.. is it possible to reduce the number of available SSH sessions for management ?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: