Subinterfaces and NAT

Jesse Hottle · ‎01-11-2008

Hello,

Is it possible to run NAT inside on a sub interface (int f0/0.100) and not run NAT on another subinteface (int f0/0.101)?

Jon Marshall · ‎01-11-2008

Hi

Wasn't 100% sure myself so i just labbed it up and yes it works fine. As long as you just apply the "ip nat inside" statement to the subinterface only it will work.

Jon

Jesse Hottle · ‎01-11-2008

Would it be possible to help me with the config? Maybe a post of a working config? I can't seem to get it to work.

Thanks for the response...

Jesse

Jon Marshall · ‎01-11-2008

Jesse

Sounds like it may be more of a NAT config issue that a subinterface one. Here is the basic config i used

interface FastEthernet0/0

ip address 192.168.7.2 255.255.255.252

ip nat outside

ip pim sparse-mode

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip pim sparse-mode

duplex auto

speed auto

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.9.1.1 255.255.255.240

ip nat inside

!

interface FastEthernet0/1.41

encapsulation dot1Q 41

ip address 172.16.8.1 255.255.255.240

!

ip nat inside source list 101 interface FastEthernet0/0 overload

access-list 101 permit ip host 10.9.1.2 host 192.168.22.2

When you test this could you run

"debug ip nat" - that will show you what is happening with NAT and also

"sh ip nat translations".

Could you also post your config.

Jon

Jesse Hottle · ‎01-11-2008

Hello,

I will post my config asap. I got called to a custoemer, but will setup this config on my lab router. Thanks for the response.

One question though... The access list, could I just match my interal nat'd subnet and do this to allow all traffic out

"access-list 101 permit ip any any"

jesse

Jon Marshall · ‎01-11-2008

Jesse

yes, you can match what you need to in your access-list.

Jon

Jesse Hottle · ‎01-16-2008

Hello,

I am also having an issue with a VPN group on my PIX. I have an internal IP range of 192.168.0.0 /24 and when users VPN to the PIX they are getting an IP from a pool of 192.168.99.0/24. Clients that VPN can access everything on the internal network of the PIX, but I need them to be able to access network we have outside the PIX, but still on our network. Also, it with the pIX client, users are using the PIX as their gateway to the outside world.

Jesse

Jesse Hottle · ‎01-16-2008

I meant that user that are VPN to the PIX, that are using Cisco VPN client are NOT using the PIX as theur gateway to the outside world. Internal ip addresses behind the PIX are accessable to the client (192.168.0.xxx), but if I tracert to lets say google.com the tracert goes through my internet connection at home, and not through the network PIX, which is what I need to happen.

Jesse