09-24-2008 05:55 AM - edited 03-06-2019 01:33 AM
Hi
I've got an old 6500 switch with an MSF card doing the routing for the switch. On one of the vlans I'd like to setup NAT, but I'm little uncertain about it. What I have is an internal network being routed to this switch via the wan, what I want is for any traffic destined for ip 10.10.10.0 255.255.255.0 to be natted to 10.45.12.128 255.255.255.192. What do I need to place on the vlan configuration and in the main configuration?
Thanks
Dan
Solved! Go to Solution.
09-24-2008 12:47 PM
Dan
Nat doesn't really "know" as such. You can have multiple "ip nat inside" statements and only one "ip nat outside" or any combination really.
By adding another "ip nat inside" you will not effect the existing one. The key is that all you are doing is saying any traffic coming in this interface is natted or any traffic leaving this interface is natted etc. You specify IP addresses/tcp|udp ports in the access-list.
Jon
09-24-2008 06:28 AM
Dan
Could you explain the topology a bit more. As an example
int vlan 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
int vlan 20
ip address 192.168.10.1 255.255.255.0
ip nat outside
ip nat pool NATIP 10.45.12.128 10.45.12.192 netmask 255.255.255.192
ip nat inside source list 101 pool NATIP overload
The above example would NAT any traffic coming from clients on vlan 10 and destined for any hosts reachable by vlan 20 interface to an IP address from the 10.45.12.128/26 range.
You may need to use a route-map for your NAT but it is a bit unclear from your description. See attached link for more details on NAT
Edit - forgot the access-list 101 - see Satish's example for access-list.
Jon
09-24-2008 07:45 AM
Hi,
Thanks for the reply, I appreciate it. The only problem I have is that I already have nat set up on the router for vlan 10 and vlan 20. On vlan 10 I have set "ip nat inside" and on vlan 20 "ip nat outside".
If I've already configured these statements and my new vlans need the same statement how then can I match my pool, source list against the nat directions for my new vlans, i.e how can I create the uniqueness for these statements and their associated nat pool statements?
Hopefully I've made myself clear, if not please let me know.
Thanks
Dan
09-24-2008 12:07 PM
Hi
Just wondering if someone could help with my follow up question!
Thanks
Dan
09-24-2008 12:21 PM
Dan
I'm not sure i fully understand.
ip nat inside source list 101 pool NATIP overload
This is the line that ties them together. So you define the traffic flows ie. source/dst IP addresses via an access-list and then you tie the pool to the access-list so you have uniqueness.
If i have misunderstood please come back.
Jon
09-24-2008 12:41 PM
Hi
It's probably me, but let's say I have the following:
vlan 10
ip nat inside
vlan 20
ip nat outside
vlan 100
ip nat inside
vlan 200
ip nat outside
How does nat know which "inside" statement relates to its corresponding "outside" statement?
If I have "ip nat inside" statement already and I add another one in a different vlan will the existing one be affected in any way?
Maybe it doesn't even matter and I'm looking at the wrong area and that what you mentioned about the nat pool is the real issue.
Your thoughts appreciated.
Thanks
Dan
09-24-2008 12:47 PM
Dan
Nat doesn't really "know" as such. You can have multiple "ip nat inside" statements and only one "ip nat outside" or any combination really.
By adding another "ip nat inside" you will not effect the existing one. The key is that all you are doing is saying any traffic coming in this interface is natted or any traffic leaving this interface is natted etc. You specify IP addresses/tcp|udp ports in the access-list.
Jon
09-24-2008 12:58 PM
Brilliant, that answered my question. Thanks for your help.
Dan
09-24-2008 06:38 AM
int vlan xx
ip nat inside
ip address a.b.c.x x.x.x.x
int wan
ip nat outside
ip address x.x.x.x x.x.x.x
ip nat source list 100 pool outsidepool
ip nat pool outsidepool 10.45.12.129-10.45.12.190 netmask 255.255.255.192
access-list 100 permit ip a.b.c.x x.x.x.x 10.10.10.0 0.0.0.255
where ,
a.b.c.x is your vlan IP address range.
HTH..rate if helpful...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: