how to disallow some ips from NAT overload

Unanswered Question
Oct 29th, 2007
User Badges:

ip nat pool nl_nat_pool 213.200.151.169 213.200.151.169 netmask 255.255.255.240

ip nat pool el_nat_pool 124.170.225.105 124.170.225.105 netmask 255.255.255.240


ip nat inside source route-map EL pool el_nat_pool overload

ip nat inside source route-map NL pool nl_nat_pool overload

--------------------------------------------------------------------------------


ip nat inside applied on internal network interface.


--------------------------------------------------------------------------------


Hello folks,


see the configuration above, we have 2 WAN interfaces and all the internal traffic nated here to access internet.


my current scenario is like. i don't want some Internal ips towards a particular destination NATed here.


i.e. say we have 5 vlans.


192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0


all are overloaded at wan interface, now i want to exclude some IPs in Vlan 2 (192.168.3.0) from overloading. (This is for a site to site VPN). Do you peoples have any idea about this.


Anith.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Tue, 10/30/2007 - 00:21
User Badges:
  • Red, 2250 points or more

The following example allows only ip's .10 and .192-.199 to be natted for Internet access:

ip nat inside source list 1 interface FastEthernet0/1 overload


access-list 1 permit 10.70.200.10

access-list 1 permit 10.70.200.192 0.0.0.7


You may have to modify your access-lists to accomodate for this but in general, this is a solution to allow or disallow NAT for certain adresses.


regards,

Leo

anith Tue, 10/30/2007 - 01:11
User Badges:

tanks leo, i closed the other links.


and, did u ment my inside acces list. no acces list u kno.




*****

interface FastEthernet0/0

ip address 192.168.10.100 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

*****


ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.255

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255



****


route-map NL permit 10

description ***** To NL ******

match ip address RMED_LAN

match interface FastEthernet0/1/0

!

route-map EL permit 10

description ***** To el *****

match ip address RMED_LAN

match interface FastEthernet0/3/0


*****


anith

lgijssel Tue, 10/30/2007 - 01:20
User Badges:
  • Red, 2250 points or more

From what I understod of you config, you are using a route map to allow NAT. Currently, all ip's in the subnets are allowed. This can be changed as follows:

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.127

permit 192.168.2.192 0.0.0.7

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255


With this (example) change, only 192.168.2.0-127 and 192-199 are allowed for NAT.


Leo

Actions

This Discussion