NATTING Some IPs and not others

Unanswered Question
Apr 19th, 2010

I have  a network with firewalls and support networks, but I would like to test external users with my support area, but do not want NAT everything.

Outside network --FW--(NAT Outside)Support Network(network (NAT Inside) ->FW-->Router NAT

                                                      Support Servers                                 

                                                       Support know network ( to -->

All outside network would target  Support Network(DMZ) would be able to test both and network at the same time.

I have multple routers with this configuration.  It works with one out of 4 interfaces.

Any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 04/19/2010 - 15:44


Sounds like you need some kind of Policy NAT to be able to NAT traffic depending on where the traffic is coming and/or where it i s going? Is this correct?

Is this an IPsec L2L tunnel?

If so, between which devices?


geraldjacksontx Tue, 04/20/2010 - 04:52

I was thinking along those lines,  Any example of Policy based natting?

Local Support not natted (exclept to test with some host) and remote user always using the NAT.

This is just a static tcp nat.

ip nat inside soure stat tcp INSIDEADDRESS 443 OUTSIDEADDRESS 443

geraldjacksontx Tue, 04/20/2010 - 13:40

It is a 6500 with Sup720 do the natting with vlans, the firewalls are not ASA.

Any example of policy based routing with Cisco Native IOS?

Federico Coto F... Tue, 04/20/2010 - 13:52

Ok, so there's no FWSM on the 6500, is just IOS.

In that case, you can check IOS NAT information here:

Most likely what you're looking for is to be able to NAT not only based on source but based on destination as well?

Regular NAT on IOS use a configuration like this:

ip nat inside source route-map NAT interface Fast0/0 overload

route-map NAT

match ip address 199

set ip next-hop x.x.x.x

ip access-list extended 199 permit ip any

The above configuration, translates the to the outside interface IP (PAT) when going to the Internet.

The same concept can apply to inbound traffic as well.

You can also put condition on NAT binding a route-map to a STATIC NAT statement for example.

Let us know how does it goes...


geraldjacksontx Wed, 04/21/2010 - 07:53

I can either static nat or use non-natted address, but I would like some local people(test) to get to non-natted address.  At least one local box be able to get to the natted for test, but when I static nat the nat works locally and remotely, but when I go to the non-natted address(of the natted address) the return traffic to the Sun box doing a dump, reports the the ip it being natted back to the natted address.


Federico Coto F... Wed, 04/21/2010 - 10:53

If on the 6500 you create a static NAT, i.e.
ip nat inside source static
This means that from the outside, you can access and from the inside can access

If the IP addresses behind the 6500 are public or routable addresses, you can access them without NAT.

The problem is that if you create a STATIC NAT like the one above, you are defining that the device will be seen with the public
IP from the outside and with the private IP from the inside.

If you want the STATIC NAT and modify this behavior, you bind a route-map to the STATIC NAT.
In this way you define when does the STATIC NAT takes place and when not.
Is this what you're looking for?


geraldjacksontx Wed, 04/21/2010 - 11:55

The network that is not-natted is not know outside the local network(routes from the 6500 to Firewall.

But I have testers that don't want to change there test procedures.  If do a static nat:

ip nat inside source static 443 443.

The works fine from outside the network and locally.

But when I try to access from local servers response traffic is from snoop) gets natted to

Will a static nat bound to route-policy work for this?  Can you give me an example with this scenario?

geraldjacksontx Thu, 04/22/2010 - 17:25

config)# ip nat inside source static route-map NAT

config)# route-map NAT permit 10
config-route-map)# match ip address NAT-ACL

config)#ip access-list extended NAT-ACL
config-ext-nacl)#10 deny ip host any

config-ext-nacl)#15 permit ip host any

int vlan 200

ip nat inside

ip add

int vlan 100

ip nat outside

ip add

The nat seem to work both the and, but the route map does not seem to work.  At least no hits on route-map or the NAT-ACL, but there are nat translations.

Seem to be a bug.  If you remove the route-map before the ip nat static it crashes the 6500.


This Discussion