tehcamelMemberAug 28, 2014 at 3:50 pm #164188
Given the following snippets of config, could you help advise on this? When i replicated something similar in Packettracer, it all seemed to work fine.. but it’s being a bit weird in production.
ip nat pool vl30 220.127.116.11 18.104.22.168 netmask 255.255.255.248 type rotary
ip nat pool vl100 22.214.171.124 126.96.36.199 netmask 255.255.255.248 type rotary
ip nat inside source list 1 pool vl30
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source list 3 pool vl100
access-list 1 remark Corporate Data NAT
access-list 1 permit 192.168.X.0 0.0.0.255 log
access-list 2 remark ServerSubnet
access-list 2 permit 192.168.Y.0 0.0.0.255
access-list 3 remark –Secure Wifi NAT–
access-list 3 permit 192.168.Z.0 0.0.0.255
initially the first 4 or 5 sessions took all the external addresses, then it failed over to the Overload statement.
So the computers on x.0 subnet failed to obtain access as the ACL prevented them. I initially just added all 3 subnets to all ACLs, then thought about it overnight.
I realised overnight I’d forgotten the type Rotary statement. Started up the next morning, removed the VL30 pool, re-added it as type rotary. All worked fine – the x.0 computers were getting the right external addresses, sh ip nat trans shows the right things.
Then I did the same thing on VL100 pool. All still working fine.
Computers in x.0 got NAT from VL30, computers in Z.0 got NAT from VL100. Objects in Y.0 went out the default IP. This was all as expected.
So, I fixed the ACLs.:
no access-list 2
access-list 2 remark —server subnet—
access-list 2 permit 192.168.y.0 0.0.0.255
no access-list 3
access-list 3 remark –wifi subnet–
access-list 3 permit 192.168.z.0 0.0.0.255
suddenly, everything on pool VL30 stopped working.
I added another line to ACL3 to allow the X.0 subnet out the VL100 pool and it’s all fine for now. (objects on Y.0 are still transiting GI0/0 rather than a pool which is as intended)
It’s not my desired outcome though. we want to know that computers on the wired vlan go out one Pool and computers on wireless go out another.
Also.. is it possible to reduce the number of available SSH sessions for management ?
You must be logged in to reply to this topic.