The static one-to-one NAT Global Address of the router is also used for PAT and natpat
I. Description
Handle a fault. A host performs one-to-one static NAT on the Cisco router. The host can log on to the device through the NAT address ssh normally, but the host sends syslogs, the obtained address is not the address after static NAT, but the address of the router interface.
Ii. Cause
After checking the vro configuration, in addition to static NAT configuration, dynamic PAT configuration is also made. However, after the dynamic configuration ACL adds the deny of the Intranet address mapped to the host, still ineffective. After logging on to the device, you will find that the mapped Intranet address is actually the floating address of the network card. Because the host actively communicates with the outside world, the floating address is not used as the source address, so PAT is used when the address goes out.
Iii. Solution
1. Assume:
Floating Intranet address: 172.16.1.2
Actual Intranet address: 172.16.1.1
Global one-to-one ing of Intranet floating addresses: 10.101.16.1
Host address for receiving syslogs: 10.102.1.1
2. Retain the static one-to-one nat of the original virtual address
Ip nat inside source static 172.16.1.2 10.101.16.1
2. modify the original PAT configuration to add a packet that first rejects syslog data.
Ip access-list extended pat
Deny udp host 172.16.1.1 host 10.102.1.1 eq syslog
Permit ip any
Ip nat inside source list pat interface GigabitEthernet0/0 overload
3. added the PAT configuration. The address pool address of the global address is the global address mapped to the Intranet floating address.
Ip access-list extended outpat
Permit udp host 172.16.1.1 host 10.102.1.1 eq syslog
Ip nat pool outpatpool 10.101.16.1 10.101.16.1 netmask 255.255.255.0
Ip nat inside source list outpat pool outpatpool overload