03-24-2010 09:16 AM - edited 03-06-2019 10:17 AM
Hi,
Currently I've got a static source nat setup i.e
ip nat inside source static 10.4.81.32 10.1.51.125
This ip 10.1.51.125/29 is an hsrp address.
what I'd like to do is create a nat rule that will convert all 10.4.x.x addresses to the hsrp address and teh local interface address. If we can't do the interface address then just to the hsrp address will be fine. I understand I will need a pool statement but I'm not sure how to do it Can someone please guide me on how to do this?
Thanks in advance.
Dan
03-24-2010 10:05 AM
dan_track wrote:
Hi,
Currently I've got a static source nat setup i.e
ip nat inside source static 10.4.81.32 10.1.51.125
This ip 10.1.51.125/29 is an hsrp address.
what I'd like to do is create a nat rule that will convert all 10.4.x.x addresses to the hsrp address and teh local interface address. If we can't do the interface address then just to the hsrp address will be fine. I understand I will need a pool statement but I'm not sure how to do it Can someone please guide me on how to do this?
Thanks in advance.
Dan
Dan
What device do you have that NAT statement on, is it a 6500 switch ?
If it isn't then be aware only the 6500 switch supports NAT.
Jon
03-24-2010 03:06 PM
Hi Jon,
You're spot on with that it's a 6509 switch.
Thanks
Dan
03-24-2010 10:29 PM
Hello Dan
There is an old post with a similar requirement pls refer to it
03-25-2010 03:08 AM
Thanks for that. So would the my current configuration work?
wr mem
conf t
access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.4.180.0 0.0.255.255
ip nat pool nat-pool 10.10.51.124 10.10.51.124 255.255.255.252
ip nat inside source list 30 pool nat-pool
exit
One concern I have is what the "255.255.255.252" means in the pool statement.
Thanks
Dan
03-25-2010 03:32 AM
dan_track wrote:
Thanks for that. So would the my current configuration work?
wr mem
conf t
access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.4.180.0 0.0.255.255ip nat pool nat-pool 10.10.51.124 10.10.51.124 255.255.255.252
ip nat inside source list 30 pool nat-poolexit
One concern I have is what the "255.255.255.252" means in the pool statement.
Thanks
Dan
Dan
Is the 10.10.51.124 an interface address ? If so you don't need to bother with a NAT pool ie.
ip nat inside source list 30 interface
Jon
03-25-2010 03:43 AM
Hi Jon,
Thanks, yes the 10.10.51.124 is an interface address.
Thanks for the tip so my new config on both 6500 switches will be:
wr mem
conf t
access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.5.180.0 0.0.255.255
ip nat inside source list 30 interface vlan 251 overload
exit
Is that right?
Thanks
Dan
03-25-2010 03:49 AM
dan_track wrote:
Hi Jon,
Thanks, yes the 10.10.51.124 is an interface address.
Thanks for the tip so my new config on both 6500 switches will be:
wr mem
conf t
access-list 30 10.4.80.0 0.0.0.255
access-list 30 10.4.81.0 0.0.0.255
access-list 30 10.5.180.0 0.0.255.255
ip nat inside source list 30 interface vlan 251 overloadexit
Is that right?
Thanks
Dan
Dan
access-list 30 needs the "permit" keyword ie.
access-list 30 permit 10.4.80.0 0.0.0.255
etc...
Personally i always use an extended acl in NAT statements but yours should work fine. Note if you wanted to do policy NAT ie. only NAT the addresses if they are going to a certain destination IP then you would need to use an extended acl.
Jon
03-25-2010 04:26 AM
Thanks Jon,
It's been very englightening, here's my update to this, please can you advise if it's ok:
wr mem
conf t
access-list 30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.29
access-list 30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.29
access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.29
access-list 30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.30
ip nat inside source list 30 interface vlan 251 overload
exit
Would the above work, also I read when creating access lists for nat always use the keyword "ip" never use protocols, is that right?
Thanks
Dan
03-25-2010 06:12 AM
dan_track wrote:
Thanks Jon,
It's been very englightening, here's my update to this, please can you advise if it's ok:
wr mem
conf t
access-list 30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.29
access-list 30 extended permit ip 10.4.80.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.29access-list 30 extended permit ip 10.4.81.0 0.0.0.255 host 10.30.70.30
access-list 30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.29access-list 30 extended permit ip 10.5.180.0 0.0.255.255 host 10.30.70.30
ip nat inside source list 30 interface vlan 251 overloadexit
Would the above work, also I read when creating access lists for nat always use the keyword "ip" never use protocols, is that right?
Thanks
Dan
Dan
Your acl would no NAT those source IPs only if they were going to destination IP 10.30.70.29 or 10.30.70.30 - is that correct ?
You need to change your acl number to be in the 100 - 199 range because it is extended.
Apart from that yes it should work fine. As for using IP rather than TCP/UDP ports, never really done it to be honest so can't say for sure. Perhaps i'll lab it up later on.
Jon
03-25-2010 07:58 AM
Thanks Jon,
Could you please clarify your nat statement as I don't understand it. According to my perspective when an ip e.g. 10.4.81.32 tries to connect to 10.30.70.29 or 10.30.70.30 the connection will be natted to the vlan 251 interface which is configured with the ip 10.10.51.124 and 10.10.51.126 depending on which switch you are on.
However if the ip 10.4.81.32 connects to any other ip going out of vlan 251 the connection will not be natted.
Am I right?
Thanks
Dan
03-25-2010 10:42 AM
Dan
According to my perspective when an ip e.g. 10.4.81.32 tries to connect to 10.30.70.29 or 10.30.70.30 the connection will be natted to the vlan 251 interface which is configured with the ip 10.10.51.124 and 10.10.51.126 depending on which switch you are on.
However if the ip 10.4.81.32 connects to any other ip going out of vlan 251 the connection will not be natted.
Am I right?
Exactly.
Jon
03-24-2010 11:47 PM
Hi Jon,
You're spot on with that it's a 6509 switch.
Thanks
Dan
Hi Dan,
Only 6500 series switch support natting configuration ,check out the below link for NAT Configuration examples.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Hope to Help !!
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide