NAT Interfaces

Unanswered Question
Jun 10th, 2009
User Badges:
  • Blue, 1500 points or more

Can you use a L3/SVI vlan interface as a NAT inside or NAT outside interface?


Someone said their NATing did not work until they migrated from an SVI for the NAT outside interface to a physical interface.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (5 ratings)
Loading.
yuribank415 Wed, 06/10/2009 - 14:00
User Badges:

I know you can use dot1q tagged sub-interfaces for the inside. Not sure about outside, or if it can be done with SVIs.



Giuseppe Larosa Wed, 06/10/2009 - 14:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Victor,

C6500 supports NAT (it is the only multilayer switch) and supports it on SVIs as well as routed interfaces.


All other multilayer switches don't support NAT.


some small routers like c877 support only SVI L3 interfaces and again ip nat commands are applied to them.


My understanding is that you need a L3 interface to apply the command

ip nat inside|outside.


But I realize that you are probably wondering about ISR routers with etherswitch modules!


Searching on cco for me is very very slow tonight.



Hope to help

Giuseppe


lamav Wed, 06/10/2009 - 14:55
User Badges:
  • Blue, 1500 points or more

Giuseppe:


"But I realize that you are probably wondering about ISR routers with etherswitch modules!"


LOLOLOL!! BINGO! Awesome, dude! That is exactly what I am wondering. This guy is using a 2811 with the ethernet NM.


I was surprised when he said that his NAT worked when he migrated the "ip nat outside" command to a physical interface from an SVI.


Let me know when you find out...lol


Thanks


Victor



Jon Marshall Wed, 06/10/2009 - 14:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hey Victor


From my experience on 6500 the answer is yes - SVI is just another L3 interface as far as NAT is concerned.


Jon

lamav Wed, 06/10/2009 - 14:57
User Badges:
  • Blue, 1500 points or more

Hey, Jon:


I should have been more precise. As Giuseppe guessed (damn, hes good! lol), I was taking about the ISR routers wih the NM modules that allow you to configure SVIs. Thats what the client was using.


Victor

Jon Marshall Wed, 06/10/2009 - 15:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Yep Giuseppe is one of the best !


Q. Is it possible to apply NAT on a switch virtual interface (SVI) for Cisco® Integrated Services Routers?


A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.


Full link -


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml


Jon

lamav Wed, 06/10/2009 - 17:13
User Badges:
  • Blue, 1500 points or more

Hey, guys:


I got this from the client. His English is difficult to understand when he speaks, but his writing is OK.


By the way, Im assuming, since he said his NATing works now, that he has left out extraneous ip address configs, etc, and is just presenting the NAT portion.


"Here is my config for the nat:


Int vlan22

Ip nat inside


Int gi0/3/0

Ip nat outside


Ip nat inside source static 10.41.207.231 64.13.49.55


I want to restrict access to 10.41.207.231 via 64.13.49.55 by only allowing subnet 206.173.47.0/24"


From what I gather, he is asking about a simple security ACL that would look like this:


access-list 110 permit ip 206.173.47.0 0.0.0.25 host 64.13.49.55


int gi0/3/0

ip access-group 110 in


Since ACL processing is the first thing that would be done on either a NAT inside or NAT outside interface, the destination host should be the NAT'ed (global outside) address. Seems pretty straightforward.


Are you reading his question differently?


Victor


Edison Ortiz Wed, 06/10/2009 - 18:15
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Victor,


The ACL will need more ACEs, for instance:


access-list 110 permit ip 206.173.47.0 0.0.0.255 host 64.13.49.55

access-list 110 deny ip any host 64.13.49.55

access-list 110 permit ip any any


You don't want to block the rest of the traffic with the implicit deny all.



Yes, I'm reading the question the same way you are.



lamav Wed, 06/10/2009 - 18:44
User Badges:
  • Blue, 1500 points or more

Good point, I have to make sure I am reading him right with regard to which traffic he wants to deny. From his request, it seems like he wants to deny everything, except for that one 206 network, heading to that one server. In other words, I think that the router is servicing that one connection to his server and thats it. Thats why I left the implicit deny all intact. But I may be wrong.


Thanks, Edison


By the way, long time...life OK? I was at 1 Penn the other day and was tempted to look you up at the Cisco office but I didnt want to intrude....

Edison Ortiz Wed, 06/10/2009 - 18:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, life is good - thanks for asking. Hoping your life is good too :)


I rarely go to One Penn. I spend most of my time at customer sites.



Jon Marshall Thu, 06/11/2009 - 02:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Apologies for being a bit slow on the uptake. The etherswitch modules are based on the 3750's so no you won't be able to do NAT on an SVI because you can't on the 3750 switch.


Jon

lamav Thu, 06/11/2009 - 05:58
User Badges:
  • Blue, 1500 points or more

That makes sense....but his configuration does work when he uses the vlan interface as the NAT inside. He is using a physical interface as the NAT outside.


No worries about being "slow". I appreciate all your time, always.


Thanks

Actions

This Discussion