At a site, both the source and destination IP addresses of data flows for accessing a server need to be translated. The scenario is described as follows:Use the UDP packet sending tool on PC1 for tests. When PC1 accesses UDP port 53 on 184.108.40.206x, the destination address is translated into 220.127.116.11 and the source address into 100.100.100.100. In the current configuration, the test is successful. However, after ACL 3001 is configured to match the destination address 18.104.22.168, the test fails, and NAT for the source IP address does not take effect. After the ACL is configured to match the source address 22.214.171.124, NAT for the source IP address takes effect. On AR2, server mapping is configured on G0/0/1, and NAT is performed for the source IP address on G0/0/0.
The key configuration is as follows:
acl number 3001
rule 5 permit ip destination 126.96.36.199 0.0.0.255
nat address-group 1 100.100.100.100 100.100.100.100
ip address 188.8.131.52 255.255.255.0
nat outbound 3001 address-group 1 no-pat
ip address 184.108.40.206
nat static protocol udp global 220.127.116.11 dns inside 18.104.22.168 dns netmask 255.255.255.255
After the configuration, the source address is not translated into 100.100.100.100.
After the check, no obvious configuration issue is found. NAT for the source IP address does not take effect because the specified source IP address fails to match the ACL. Confirm with the related module experts that, if IP addresses are translated on the AR, only the IP addresses before translation can match ACLs, regardless of whether NAT is performed for the source or destination IP address.
Adjust the ACL. The fault is rectified.#
rule 5 permit ip source 22.214.171.124 0.0.0.255
If IP addresses are translated on the AR, only the IP addresses before translation can match ACLs, regardless of whether NAT is performed for the source or destination IP address.
If NAT is performed on an AR, specify IP addresses before translation in ACLs, regardless of the source or destination IP address.