Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
4
Replies

how to disallow some ips from NAT overload

anith
Level 1
Level 1

‎10-29-2007 11:45 PM - edited ‎03-03-2019 05:32 AM

ip nat pool nl_nat_pool 213.200.151.169 213.200.151.169 netmask 255.255.255.240

ip nat pool el_nat_pool 124.170.225.105 124.170.225.105 netmask 255.255.255.240

ip nat inside source route-map EL pool el_nat_pool overload

ip nat inside source route-map NL pool nl_nat_pool overload

--------------------------------------------------------------------------------

ip nat inside applied on internal network interface.

--------------------------------------------------------------------------------

Hello folks,

see the configuration above, we have 2 WAN interfaces and all the internal traffic nated here to access internet.

my current scenario is like. i don't want some Internal ips towards a particular destination NATed here.

i.e. say we have 5 vlans.

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0

all are overloaded at wan interface, now i want to exclude some IPs in Vlan 2 (192.168.3.0) from overloading. (This is for a site to site VPN). Do you peoples have any idea about this.

Anith.

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎10-30-2007 12:21 AM

The following example allows only ip's .10 and .192-.199 to be natted for Internet access:

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 10.70.200.10

access-list 1 permit 10.70.200.192 0.0.0.7

You may have to modify your access-lists to accomodate for this but in general, this is a solution to allow or disallow NAT for certain adresses.

regards,

Leo

0 Helpful

anith
Level 1
Level 1
In response to lgijssel

‎10-30-2007 01:11 AM

tanks leo, i closed the other links.

and, did u ment my inside acces list. no acces list u kno.

*****

interface FastEthernet0/0

ip address 192.168.10.100 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

*****

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.255

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

****

route-map NL permit 10

description ***** To NL ******

match ip address RMED_LAN

match interface FastEthernet0/1/0

!

route-map EL permit 10

description ***** To el *****

match ip address RMED_LAN

match interface FastEthernet0/3/0

*****

anith

0 Helpful

lgijssel
Level 9
Level 9
In response to anith

‎10-30-2007 01:20 AM

From what I understod of you config, you are using a route map to allow NAT. Currently, all ip's in the subnets are allowed. This can be changed as follows:

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.127

permit 192.168.2.192 0.0.0.7

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

With this (example) change, only 192.168.2.0-127 and 192-199 are allowed for NAT.

Leo

0 Helpful

anith
Level 1
Level 1
In response to lgijssel

‎10-30-2007 04:38 AM

grt its working

0 Helpful
Customers Also Viewed These Support Documents