Multiple NAT-ed interfaces?

Unanswered Question
May 15th, 2007
User Badges:

I have a Cisco 7200 with has multiple interfaces. I use services such as Yipes, that set up basically a direct connection to the remote site (usual on a private ip space). My only issue is that most of the services we connect to require us to use NAT on the interface. My question is, if it is possible to NAT multiple interfaces on a router. I have studied this a little bit and attempted to create a second NAT statement but every time I tried the previous interface that already has NAT applied looses it connection. I would hate to buy a dedicated router for every connection. Example is to have 192.168.1.1/24, 192.168.2.1/24 and 192.168.3.1/24 all on the same router and all NAT-ed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/15/2007 - 11:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Jim


If i understand correctly you should be able to do NAT on multiple interfaces. You can use the "ip nat inside" statement under each interface you want to NAT the source IP's and "ip nat outside" on the interface that you want the source IP addresses natted to.


If you want to multiple NAT outisde statements you can use route-maps with your NAT statements to do conditional NAT.


Could you post config of your 7200 with explanation of what you are natting from and to.


HTH


Jon

jimwysocki Tue, 05/15/2007 - 11:55
User Badges:

Here is my current config what i want is to have eth 5/1 ip address 10.13.7.2 255.255.255.0. And I want all traffic coming from the 192.168.225.0 network to be NAT-ed when going out to the 10.13.7.0 network.

currently when i enter ip nat inside source static 192.168.225.103 10.13.7.2 it shuts down the previous nat. and if i create a access list (access-list 1 permit any any) and then the nat command ip nat inside source list 1 inte eth 5/1 overload. it also takes down the previous nat until the statement is removed




Current configuration : 2469 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret xxx

enable password xxx

!

ip subnet-zero

ip cef

!

call rsvp-sync

!

bridge irb

!

!

interface FastEthernet1/0

ip address 172.28.x.x 255.255.255.252

ip nat outside

duplex full

!

interface FastEthernet2/0

ip address 66.x.x.x 255.255.255.252

duplex full

speed 100

!

interface FastEthernet2/1

ip address 208.x.x.x 255.255.255.224

duplex full

speed 100

!

interface FastEthernet4/0

no ip address

ip nat inside

duplex full

bridge-group 10

!

interface Ethernet5/0

ip address 172.19.x.x 255.255.255.248

duplex full

!

interface Ethernet5/1

no ip address

ip nat outside

shutdown

duplex full

!

interface Ethernet5/2

no ip address

shutdown

duplex half

!

interface Ethernet5/3

no ip address

shutdown

duplex full

!

interface BVI10

ip address 192.168.225.3 255.255.255.0

ip nat inside

!

ip nat inside source static 10.214.67.204 192.168.225.30


ip classless

ip route 0.0.0.0 0.0.0.0 66.227.77.33 permanent

ip route 10.214.x.0 255.255.255.0 192.168.225.1 permanent

ip route 64.14.x.0 255.255.255.0 10.136.8.1

ip route 172.18.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.18.x.128 255.255.255.224 172.28.x.x permanent

ip route 172.18.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.19.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.19.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.19.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.20.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.20.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.21.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.28.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.28.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.28.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.29.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.29.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.30.x.0 255.255.255.0 172.19.x.1

no ip http server

!

no cdp run

snmp-server community stipublic RO

snmp-server packetsize 2048

snmp-server enable traps tty

bridge 10 protocol ieee

bridge 10 route ip

!

dial-peer cor custom

!

!

!

!

gatekeeper

shutdown

!

!

line con 0

line aux 0

line vty 0 4

password xxx

login

line vty 5 15

password xxx

login




royalblues Wed, 05/16/2007 - 00:05
User Badges:
  • Green, 3000 points or more

If i understnd your problem correctly, you need to be able to NAT to a different IP when the same source is trying to access different destinations.


You would require NAT with route-maps for this.


NAT only uses access lists and route maps when it needs to create a translation entry. If a translation entry already exists that matches the traffic then the translation entry will be used; any access lists or route maps will not be consulted. The difference between using an access list or route map is the type of translation entry that will be created.


When NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information


Have a look at this link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml


HTH, rate if it does

Narayan

jimwysocki Wed, 05/16/2007 - 05:56
User Badges:

A better way to explain it is that 192.168.1.1 is my internal LANs interface. Lets just say 10.1.0.1 is a interface and 10.2.0.1 is another interface going to other LANs. I want all traffic coming from my internal interface (192.168.1.1) to show up as 10.1.0.1 when it goes out that interface or shows up as 10.2.0.1 if it is routed out that interface. I guess basically I need two outside interfaces.

Actions

This Discussion