How to NAT on switch

Unanswered Question
Mar 24th, 2010

Hi,

Currently I've got a static source nat setup i.e

ip nat inside source static 10.4.81.32 10.1.51.125

This ip 10.1.51.125/29 is an hsrp address.

what I'd like to do is create a nat rule that will convert all 10.4.x.x addresses to the hsrp address and teh local interface address. If we can't do the interface address then just to the hsrp address will be fine. I understand I will need a pool statement but I'm not sure how to do it Can someone please guide me on how to do this?

Thanks in advance.

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/24/2010 - 10:05

dan_track wrote:

Hi,

Currently I've got a static source nat setup i.e

ip nat inside source static 10.4.81.32 10.1.51.125

This ip 10.1.51.125/29 is an hsrp address.

what I'd like to do is create a nat rule that will convert all 10.4.x.x addresses to the hsrp address and teh local interface address. If we can't do the interface address then just to the hsrp address will be fine. I understand I will need a pool statement but I'm not sure how to do it Can someone please guide me on how to do this?

Thanks in advance.

Dan

Dan

What device do you have that NAT statement on,  is it a 6500 switch ?

If it isn't then be aware only the 6500 switch supports NAT.

Jon

dan_track Wed, 03/24/2010 - 15:06

Hi Jon,

You're spot on with that it's a 6509 switch.

Thanks

Dan

dan_track Thu, 03/25/2010 - 03:08

Thanks for that. So would the my current configuration work?

wr mem

conf t

access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.4.180.0 0.0.255.255

ip nat pool nat-pool 10.10.51.124 10.10.51.124 255.255.255.252
ip nat inside source list 30 pool nat-pool

exit

One concern I have is what the "255.255.255.252" means in the pool statement.

Thanks

Dan

Jon Marshall Thu, 03/25/2010 - 03:32

dan_track wrote:

Thanks for that. So would the my current configuration work?

wr mem

conf t

access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.4.180.0 0.0.255.255

ip nat pool nat-pool 10.10.51.124 10.10.51.124 255.255.255.252
ip nat inside source list 30 pool nat-pool

exit

One concern I have is what the "255.255.255.252" means in the pool statement.

Thanks

Dan

Dan

Is the 10.10.51.124 an interface address ? If so you don't need to bother with a NAT pool ie.

ip nat inside source list 30 interface overload

Jon

dan_track Thu, 03/25/2010 - 03:43

Hi Jon,

Thanks, yes the 10.10.51.124 is an interface address.

Thanks for the tip so my new config on both 6500 switches will be:

wr mem

conf t

access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.5.180.0 0.0.255.255


ip nat inside source list 30 interface vlan 251 overload

exit

Is that right?

Thanks

Dan

Jon Marshall Thu, 03/25/2010 - 03:49

dan_track wrote:

Hi Jon,

Thanks, yes the 10.10.51.124 is an interface address.

Thanks for the tip so my new config on both 6500 switches will be:

wr mem

conf t

access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.5.180.0 0.0.255.255


ip nat inside source list 30 interface vlan 251 overload

exit

Is that right?

Thanks

Dan

Dan

access-list 30 needs the "permit" keyword ie.

access-list 30 permit 10.4.80.0 0.0.0.255

etc...

Personally i always use an extended acl in NAT statements but yours should work fine. Note if you wanted to do policy NAT ie. only NAT the addresses if they are going to a certain destination IP then you would need to use an extended acl.

Jon

dan_track Thu, 03/25/2010 - 04:26

Thanks Jon,

It's been very englightening, here's my update to this, please can you advise if it's ok:

wr mem

conf t

access-list  30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.29

access-list  30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.29

access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.30
access-list  30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.29

access-list  30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.30


ip nat inside source list 30  interface vlan 251 overload

exit

Would the above work, also I read when creating access lists for nat always use the keyword "ip" never use protocols, is that right?

Thanks

Dan

Jon Marshall Thu, 03/25/2010 - 06:12

dan_track wrote:

Thanks Jon,

It's been very englightening, here's my update to this, please can you advise if it's ok:

wr mem

conf t

access-list  30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.29

access-list  30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.29

access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.30
access-list  30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.29

access-list  30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.30


ip nat inside source list 30  interface vlan 251 overload

exit

Would the above work, also I read when creating access lists for nat always use the keyword "ip" never use protocols, is that right?

Thanks

Dan

Dan

Your acl would no NAT those source IPs only if they were going to destination IP 10.30.70.29 or 10.30.70.30 - is that correct ?

You need to change your acl number to be in the 100 - 199 range because it is extended.

Apart from that yes it should work fine. As for using IP rather than TCP/UDP ports, never really done it to be honest so can't say for sure. Perhaps i'll lab it up later on.

Jon

dan_track Thu, 03/25/2010 - 07:58

Thanks Jon,

Could you please clarify your nat statement as I don't understand it. According to my perspective when an ip e.g. 10.4.81.32 tries to connect to 10.30.70.29 or 10.30.70.30 the connection will be natted to the vlan 251 interface which is configured with the ip 10.10.51.124 and 10.10.51.126 depending on which switch you are on.

However if the ip 10.4.81.32 connects to any other ip going out of vlan 251 the connection will not be natted.

Am I right?

Thanks

Dan

Jon Marshall Thu, 03/25/2010 - 10:42

Dan

According to my perspective when an ip e.g. 10.4.81.32 tries to connect to 10.30.70.29 or 10.30.70.30 the connection will be natted to the vlan 251 interface which is configured with the ip 10.10.51.124 and 10.10.51.126 depending on which switch you are on.

However if the ip 10.4.81.32 connects to any other ip going out of vlan 251 the connection will not be natted.

Am I right?

Exactly.

Jon

Actions

This Discussion