06-10-2009 01:52 PM - edited 03-06-2019 06:11 AM
Can you use a L3/SVI vlan interface as a NAT inside or NAT outside interface?
Someone said their NATing did not work until they migrated from an SVI for the NAT outside interface to a physical interface.
Thanks
06-10-2009 02:00 PM
I know you can use dot1q tagged sub-interfaces for the inside. Not sure about outside, or if it can be done with SVIs.
06-10-2009 02:11 PM
Hello Victor,
C6500 supports NAT (it is the only multilayer switch) and supports it on SVIs as well as routed interfaces.
All other multilayer switches don't support NAT.
some small routers like c877 support only SVI L3 interfaces and again ip nat commands are applied to them.
My understanding is that you need a L3 interface to apply the command
ip nat inside|outside.
But I realize that you are probably wondering about ISR routers with etherswitch modules!
Searching on cco for me is very very slow tonight.
Hope to help
Giuseppe
06-10-2009 02:55 PM
Giuseppe:
"But I realize that you are probably wondering about ISR routers with etherswitch modules!"
LOLOLOL!! BINGO! Awesome, dude! That is exactly what I am wondering. This guy is using a 2811 with the ethernet NM.
I was surprised when he said that his NAT worked when he migrated the "ip nat outside" command to a physical interface from an SVI.
Let me know when you find out...lol
Thanks
Victor
06-10-2009 02:25 PM
Hey Victor
From my experience on 6500 the answer is yes - SVI is just another L3 interface as far as NAT is concerned.
Jon
06-10-2009 02:57 PM
Hey, Jon:
I should have been more precise. As Giuseppe guessed (damn, hes good! lol), I was taking about the ISR routers wih the NM modules that allow you to configure SVIs. Thats what the client was using.
Victor
06-10-2009 03:00 PM
Victor
Yep Giuseppe is one of the best !
Q. Is it possible to apply NAT on a switch virtual interface (SVI) for Cisco® Integrated Services Routers?
A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.
Full link -
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
Jon
06-10-2009 05:13 PM
Hey, guys:
I got this from the client. His English is difficult to understand when he speaks, but his writing is OK.
By the way, Im assuming, since he said his NATing works now, that he has left out extraneous ip address configs, etc, and is just presenting the NAT portion.
"Here is my config for the nat:
Int vlan22
Ip nat inside
Int gi0/3/0
Ip nat outside
Ip nat inside source static 10.41.207.231 64.13.49.55
I want to restrict access to 10.41.207.231 via 64.13.49.55 by only allowing subnet 206.173.47.0/24"
From what I gather, he is asking about a simple security ACL that would look like this:
access-list 110 permit ip 206.173.47.0 0.0.0.25 host 64.13.49.55
int gi0/3/0
ip access-group 110 in
Since ACL processing is the first thing that would be done on either a NAT inside or NAT outside interface, the destination host should be the NAT'ed (global outside) address. Seems pretty straightforward.
Are you reading his question differently?
Victor
06-10-2009 06:15 PM
Victor,
The ACL will need more ACEs, for instance:
access-list 110 permit ip 206.173.47.0 0.0.0.255 host 64.13.49.55
access-list 110 deny ip any host 64.13.49.55
access-list 110 permit ip any any
You don't want to block the rest of the traffic with the implicit deny all.
Yes, I'm reading the question the same way you are.
06-10-2009 06:44 PM
Good point, I have to make sure I am reading him right with regard to which traffic he wants to deny. From his request, it seems like he wants to deny everything, except for that one 206 network, heading to that one server. In other words, I think that the router is servicing that one connection to his server and thats it. Thats why I left the implicit deny all intact. But I may be wrong.
Thanks, Edison
By the way, long time...life OK? I was at 1 Penn the other day and was tempted to look you up at the Cisco office but I didnt want to intrude....
06-10-2009 06:59 PM
Yes, life is good - thanks for asking. Hoping your life is good too :)
I rarely go to One Penn. I spend most of my time at customer sites.
06-11-2009 02:38 AM
Victor
Apologies for being a bit slow on the uptake. The etherswitch modules are based on the 3750's so no you won't be able to do NAT on an SVI because you can't on the 3750 switch.
Jon
06-11-2009 05:58 AM
That makes sense....but his configuration does work when he uses the vlan interface as the NAT inside. He is using a physical interface as the NAT outside.
No worries about being "slow". I appreciate all your time, always.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: