How to perform simple nat on a router

Answered Question
Sep 24th, 2008
User Badges:

Hi


I've got an old 6500 switch with an MSF card doing the routing for the switch. On one of the vlans I'd like to setup NAT, but I'm little uncertain about it. What I have is an internal network being routed to this switch via the wan, what I want is for any traffic destined for ip 10.10.10.0 255.255.255.0 to be natted to 10.45.12.128 255.255.255.192. What do I need to place on the vlan configuration and in the main configuration?


Thanks

Dan

Correct Answer by Jon Marshall about 8 years 6 months ago

Dan


Nat doesn't really "know" as such. You can have multiple "ip nat inside" statements and only one "ip nat outside" or any combination really.


By adding another "ip nat inside" you will not effect the existing one. The key is that all you are doing is saying any traffic coming in this interface is natted or any traffic leaving this interface is natted etc. You specify IP addresses/tcp|udp ports in the access-list.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 09/24/2008 - 06:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


Could you explain the topology a bit more. As an example


int vlan 10

ip address 192.168.5.1 255.255.255.0

ip nat inside


int vlan 20

ip address 192.168.10.1 255.255.255.0

ip nat outside


ip nat pool NATIP 10.45.12.128 10.45.12.192 netmask 255.255.255.192


ip nat inside source list 101 pool NATIP overload


The above example would NAT any traffic coming from clients on vlan 10 and destined for any hosts reachable by vlan 20 interface to an IP address from the 10.45.12.128/26 range.


You may need to use a route-map for your NAT but it is a bit unclear from your description. See attached link for more details on NAT


http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html


Edit - forgot the access-list 101 - see Satish's example for access-list.


Jon



dan_track Wed, 09/24/2008 - 07:45
User Badges:

Hi,


Thanks for the reply, I appreciate it. The only problem I have is that I already have nat set up on the router for vlan 10 and vlan 20. On vlan 10 I have set "ip nat inside" and on vlan 20 "ip nat outside".


If I've already configured these statements and my new vlans need the same statement how then can I match my pool, source list against the nat directions for my new vlans, i.e how can I create the uniqueness for these statements and their associated nat pool statements?


Hopefully I've made myself clear, if not please let me know.


Thanks

Dan

dan_track Wed, 09/24/2008 - 12:07
User Badges:

Hi


Just wondering if someone could help with my follow up question!


Thanks

Dan

Jon Marshall Wed, 09/24/2008 - 12:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


I'm not sure i fully understand.


ip nat inside source list 101 pool NATIP overload


This is the line that ties them together. So you define the traffic flows ie. source/dst IP addresses via an access-list and then you tie the pool to the access-list so you have uniqueness.


If i have misunderstood please come back.


Jon

dan_track Wed, 09/24/2008 - 12:41
User Badges:

Hi


It's probably me, but let's say I have the following:


vlan 10

ip nat inside


vlan 20

ip nat outside


vlan 100

ip nat inside


vlan 200

ip nat outside


How does nat know which "inside" statement relates to its corresponding "outside" statement?


If I have "ip nat inside" statement already and I add another one in a different vlan will the existing one be affected in any way?


Maybe it doesn't even matter and I'm looking at the wrong area and that what you mentioned about the nat pool is the real issue.


Your thoughts appreciated.


Thanks

Dan

Correct Answer
Jon Marshall Wed, 09/24/2008 - 12:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


Nat doesn't really "know" as such. You can have multiple "ip nat inside" statements and only one "ip nat outside" or any combination really.


By adding another "ip nat inside" you will not effect the existing one. The key is that all you are doing is saying any traffic coming in this interface is natted or any traffic leaving this interface is natted etc. You specify IP addresses/tcp|udp ports in the access-list.


Jon

dan_track Wed, 09/24/2008 - 12:58
User Badges:

Brilliant, that answered my question. Thanks for your help.


Dan

satish_zanjurne Wed, 09/24/2008 - 06:38
User Badges:
  • Silver, 250 points or more


int vlan xx

ip nat inside

ip address a.b.c.x x.x.x.x


int wan

ip nat outside

ip address x.x.x.x x.x.x.x


ip nat source list 100 pool outsidepool


ip nat pool outsidepool 10.45.12.129-10.45.12.190 netmask 255.255.255.192


access-list 100 permit ip a.b.c.x x.x.x.x 10.10.10.0 0.0.0.255


where ,

a.b.c.x is your vlan IP address range.


HTH..rate if helpful...

Actions

This Discussion