NAT Interfaces

Unanswered Question
Jun 10th, 2009

Can you use a L3/SVI vlan interface as a NAT inside or NAT outside interface?

Someone said their NATing did not work until they migrated from an SVI for the NAT outside interface to a physical interface.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (5 ratings)
Loading.
yuribank415 Wed, 06/10/2009 - 14:00

I know you can use dot1q tagged sub-interfaces for the inside. Not sure about outside, or if it can be done with SVIs.

Giuseppe Larosa Wed, 06/10/2009 - 14:11

Hello Victor,

C6500 supports NAT (it is the only multilayer switch) and supports it on SVIs as well as routed interfaces.

All other multilayer switches don't support NAT.

some small routers like c877 support only SVI L3 interfaces and again ip nat commands are applied to them.

My understanding is that you need a L3 interface to apply the command

ip nat inside|outside.

But I realize that you are probably wondering about ISR routers with etherswitch modules!

Searching on cco for me is very very slow tonight.

Hope to help

Giuseppe

lamav Wed, 06/10/2009 - 14:55

Giuseppe:

"But I realize that you are probably wondering about ISR routers with etherswitch modules!"

LOLOLOL!! BINGO! Awesome, dude! That is exactly what I am wondering. This guy is using a 2811 with the ethernet NM.

I was surprised when he said that his NAT worked when he migrated the "ip nat outside" command to a physical interface from an SVI.

Let me know when you find out...lol

Thanks

Victor

Jon Marshall Wed, 06/10/2009 - 14:25

Hey Victor

From my experience on 6500 the answer is yes - SVI is just another L3 interface as far as NAT is concerned.

Jon

lamav Wed, 06/10/2009 - 14:57

Hey, Jon:

I should have been more precise. As Giuseppe guessed (damn, hes good! lol), I was taking about the ISR routers wih the NM modules that allow you to configure SVIs. Thats what the client was using.

Victor

Jon Marshall Wed, 06/10/2009 - 15:00

Victor

Yep Giuseppe is one of the best !

Q. Is it possible to apply NAT on a switch virtual interface (SVI) for Cisco® Integrated Services Routers?

A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.

Full link -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Jon

lamav Wed, 06/10/2009 - 17:13

Hey, guys:

I got this from the client. His English is difficult to understand when he speaks, but his writing is OK.

By the way, Im assuming, since he said his NATing works now, that he has left out extraneous ip address configs, etc, and is just presenting the NAT portion.

"Here is my config for the nat:

Int vlan22

Ip nat inside

Int gi0/3/0

Ip nat outside

Ip nat inside source static 10.41.207.231 64.13.49.55

I want to restrict access to 10.41.207.231 via 64.13.49.55 by only allowing subnet 206.173.47.0/24"

From what I gather, he is asking about a simple security ACL that would look like this:

access-list 110 permit ip 206.173.47.0 0.0.0.25 host 64.13.49.55

int gi0/3/0

ip access-group 110 in

Since ACL processing is the first thing that would be done on either a NAT inside or NAT outside interface, the destination host should be the NAT'ed (global outside) address. Seems pretty straightforward.

Are you reading his question differently?

Victor

Edison Ortiz Wed, 06/10/2009 - 18:15

Victor,

The ACL will need more ACEs, for instance:

access-list 110 permit ip 206.173.47.0 0.0.0.255 host 64.13.49.55

access-list 110 deny ip any host 64.13.49.55

access-list 110 permit ip any any

You don't want to block the rest of the traffic with the implicit deny all.

Yes, I'm reading the question the same way you are.

lamav Wed, 06/10/2009 - 18:44

Good point, I have to make sure I am reading him right with regard to which traffic he wants to deny. From his request, it seems like he wants to deny everything, except for that one 206 network, heading to that one server. In other words, I think that the router is servicing that one connection to his server and thats it. Thats why I left the implicit deny all intact. But I may be wrong.

Thanks, Edison

By the way, long time...life OK? I was at 1 Penn the other day and was tempted to look you up at the Cisco office but I didnt want to intrude....

Edison Ortiz Wed, 06/10/2009 - 18:59

Yes, life is good - thanks for asking. Hoping your life is good too :)

I rarely go to One Penn. I spend most of my time at customer sites.

Jon Marshall Thu, 06/11/2009 - 02:38

Victor

Apologies for being a bit slow on the uptake. The etherswitch modules are based on the 3750's so no you won't be able to do NAT on an SVI because you can't on the 3750 switch.

Jon

lamav Thu, 06/11/2009 - 05:58

That makes sense....but his configuration does work when he uses the vlan interface as the NAT inside. He is using a physical interface as the NAT outside.

No worries about being "slow". I appreciate all your time, always.

Thanks

Actions

This Discussion