I just ran into this exact same problem last week and a reboot fixed the issue running 12.4(24)T2. I didn't think to apply the static nat first. Is there a reason why to apply the static nat first or is it ios related?
Thanks, Brian On 1/20/10, Tyson Scott <[email protected]> wrote: > Apply your static first then apply the NAT pool. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: <mailto:[email protected]> [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: <http://www.ipexpert.com/chat> > www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our > public website at <http://www.ipexpert.com> www.ipexpert.com > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Jimmy > Larsson > Sent: Wednesday, January 20, 2010 9:41 AM > To: [email protected] > Subject: [OSL | CCIE_Security] ip nat source pool conflicts with ip nat > source static? > > > > I am playing with some basic ios nat and cant get it to work the way I want. > > > > On my "inside" I have a client at 10.0.20.100. I want to hide that Ip for > outbound traffic. First I do it with a nat pool, like this: > > > > interface FastEthernet0 > > ip address 10.0.13.2 255.255.255.0 > > ip nat enable > > interface FastEthernet1 > > ip address 10.0.20.1 255.255.255.0 > > ip nat enable > > > > ip access-list extended ACL_INSIDE_NAT > > permit ip 10.0.20.0 0.0.0.255 any > > > > ip nat pool MYNATPOOL 10.99.99.99 10.99.99.199 netmask 255.255.255.0 > add-route > > ip nat source list ACL_INSIDE_NAT pool MYNATPOOL > > > > All is fine and my client can access an outside web-server, hidden behind an > 10.99.99-address (after redistributing statics so that my outside network > know about the 10.99.99-network). > > > > Then I want o modify it so that everything on 10.0.20.0/24 keeps hidden > behind that pool EXCEPT for my host .100. I add this: > > > > ip access-list extended ACL_INSIDE_NAT > > deny ip host 10.0.20.100 any > > permit ip 10.0.20.0 0.0.0.255 any > > (Denying traffic from my host to make it NOT being nated with my pool) > > > > r3(config)#ip nat source static 10.0.20.100 10.99.98.100 > > r3(config)# > > *Jan 20 14:44:13.147: %Non-Static entry already exists > > > > 1) Why cant I do that? I cant see that my ip nat source pool conflicts with > my ip nat source static. > > 2) How do I solve this? > > 3) How do I redistribute knowledge of this 10.99.98-address? I miss the > ability to add "add-route" at the end of the ip nat source static line. If I > am suppose to solve this with a static route in the config, what should I > point nexthop to? > > > > Br Jimmy > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
