Hide NAT on multiple WAN Interfaces

 Posted on June 18, 2015  |  2 minutes  |  376 words  |  Stephan Baenisch

During some tests I came across an issue with dual hide NAT on one Cisco device.

The device is configured with two Internet access lines. The first one is a Ethernet Link (fa0/0) with static IP addressing, the second one is a dial-up PPPoE connection (Dialer1) with dynamically assigned IP.

For the LAN side I configured a Loopback1 for testing.

ip nat inside is configured on Loopback1, ip nat outside on fa0/0 and Dialer1.

And the simple ACL and NAT configuration:

ip nat inside source list 101 interface Dia1 overload
ip nat inside source list 102 interface Fa0/0 overload
access-list 100 permit ip any any
access-list 101 permit ip any any

Sending some traffic via Dialer1 then worked fine. But sending traffic via Fa0/0 failed. Debugging NAT showed up some error messages:

\*May  6 13:43:45.403:  mapping pointer available mapping:0
\*May  6 13:43:45.407: NAT: translation failed (A), dropping packet s=192.168.4.1

A detailed look on the ACLs showed that all traffic matched ACL 100, even traffic which should match ACL 101 because it was sent towards Fa0/0… Don’t know why.

So I found another solution using route-maps which works very well. Here is the configuration:

!
interface Loopback1
description \*\*\* LAN \*\*\*
ip address 192.168.4.1 255.255.255.0
**ip nat inside**
!
interface FastEthernet0/0
description \*\*\* Internet via AS 77 \*\*\*
ip address 77.1.1.1 255.255.255.254
**ip nat outside**
!
interface FastEthernet0/1
description \*\*\* Aggregation Network \*\*\*
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
**ip nat outside**
ip virtual-reassembly in
encapsulation ppp
no ip route-cache
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp chap hostname test
ppp chap password 0 pass
!
!
**ip nat inside source route-map HIDE-NAT1 interface Dialer1 overload
ip nat inside source route-map HIDE-NAT2 interface FastEthernet0/0 overload**
!
!
**ip access-list extended HIDE-NAT
permit ip 192.168.4.0 0.0.0.255 any**
!
!
**route-map HIDE-NAT2 permit 10
match ip address HIDE-NAT
match interface FastEthernet0/0**
!
**route-map HIDE-NAT1 permit 10
match ip address HIDE-NAT
match interface Dialer1**
!

And after sending some traffic via both links NAT took place on both WAN Interfaces as expected:

badbankbr3#sh ip nat tra
Pro Inside global Inside local Outside local Outside global
icmp 77.1.1.1:68 192.168.4.1:68 199.172.5.5:68 199.172.5.5:68
icmp 200.0.2.5:69 192.168.4.1:69 199.172.5.5:69 199.172.5.5:69
badbankbr3#