Need help with NAT configs ASAP..

Answered Question
Apr 24th, 2010
User Badges:

Hii all,


Grettings!!!


I have a query


I have configured NAT on a 2801 router for a pool of Private addresses to be Natted to Single Public address which is working fine.


My query is


I want to exclude only a " Single Private ip add " not to get Natted from the Private ip address pool and remaining all ip addresses of that pool to be Natted???


So can u pls help me with dis configs ASAP


Brgds.....

Correct Answer by Jennifer Halim about 7 years 1 month ago

OK, so the server is already on public ip address, that is why you do not have static nat and do not need to PAT it, right?

If the above is right, I also assume that there is already route on the next hop router to route traffic towards 83.x.x.5 towards the router outside interface?


If the above is right, you can configure the deny as follows:

access-list 1 deny host 83.X.X.5

access-list 1 permit 83.X.X.0 0.0.0.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Sat, 04/24/2010 - 01:23
User Badges:
  • Cisco Employee,

I assume you are using access-list to permit the private ip addresses to be nated to public ip address. You can configure a deny statement for that particular private ip address, and it will not be nated.


Please make sure that the deny ACL is on top of the permit statement.


Hope that helps.

Arifuddinkhaja Sat, 04/24/2010 - 01:29
User Badges:

Thankx 4 ur reply


Yes am using an ACL to permit those private ip address to  be natted to public ip add.


But if i config a deny statement " Will I be able to reach that particular ip address thru internet bcoz that particular ip add is of a Server" ???


Awating ur prompt response...


Thanks & Brgds...

Jennifer Halim Sat, 04/24/2010 - 01:34
User Badges:
  • Cisco Employee,

I assume if it is a server and needs to be accessible through the internet, then it should already have a static nat entry. If it already has a static nat entry, it won't be using the dynamic nat statement, because static nat takes precedence over dynamic nat.


If the above statement is correct, you don't have to deny the server ip address from being NATed as it will just use the static nat statement.


Can you share your NAT configuration and advise what is the server ip?

Arifuddinkhaja Sat, 04/24/2010 - 01:47
User Badges:

Pls find below the requested NAT configs


!


ip nat pool voice 212.X.X.X 212.X.X.X netmask 255.255.255.128
ip nat inside source list 1 pool voice overload


!
access-list 1 permit 83.X.X.0 0.0.0.255


And the server ip is 83.X.X.5..

Correct Answer
Jennifer Halim Sat, 04/24/2010 - 01:50
User Badges:
  • Cisco Employee,

OK, so the server is already on public ip address, that is why you do not have static nat and do not need to PAT it, right?

If the above is right, I also assume that there is already route on the next hop router to route traffic towards 83.x.x.5 towards the router outside interface?


If the above is right, you can configure the deny as follows:

access-list 1 deny host 83.X.X.5

access-list 1 permit 83.X.X.0 0.0.0.255

Actions

This Discussion

Related Content