how to disallow some ips from NAT overload

Unanswered Question
Oct 29th, 2007

ip nat pool nl_nat_pool 213.200.151.169 213.200.151.169 netmask 255.255.255.240

ip nat pool el_nat_pool 124.170.225.105 124.170.225.105 netmask 255.255.255.240

ip nat inside source route-map EL pool el_nat_pool overload

ip nat inside source route-map NL pool nl_nat_pool overload

--------------------------------------------------------------------------------

ip nat inside applied on internal network interface.

--------------------------------------------------------------------------------

Hello folks,

see the configuration above, we have 2 WAN interfaces and all the internal traffic nated here to access internet.

my current scenario is like. i don't want some Internal ips towards a particular destination NATed here.

i.e. say we have 5 vlans.

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0

all are overloaded at wan interface, now i want to exclude some IPs in Vlan 2 (192.168.3.0) from overloading. (This is for a site to site VPN). Do you peoples have any idea about this.

Anith.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Tue, 10/30/2007 - 00:21

The following example allows only ip's .10 and .192-.199 to be natted for Internet access:

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 10.70.200.10

access-list 1 permit 10.70.200.192 0.0.0.7

You may have to modify your access-lists to accomodate for this but in general, this is a solution to allow or disallow NAT for certain adresses.

regards,

Leo

anith Tue, 10/30/2007 - 01:11

tanks leo, i closed the other links.

and, did u ment my inside acces list. no acces list u kno.

*****

interface FastEthernet0/0

ip address 192.168.10.100 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

*****

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.255

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

****

route-map NL permit 10

description ***** To NL ******

match ip address RMED_LAN

match interface FastEthernet0/1/0

!

route-map EL permit 10

description ***** To el *****

match ip address RMED_LAN

match interface FastEthernet0/3/0

*****

anith

lgijssel Tue, 10/30/2007 - 01:20

From what I understod of you config, you are using a route map to allow NAT. Currently, all ip's in the subnets are allowed. This can be changed as follows:

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.127

permit 192.168.2.192 0.0.0.7

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

With this (example) change, only 192.168.2.0-127 and 192-199 are allowed for NAT.

Leo

Actions

This Discussion