Outside NAT Question

Answered Question
Apr 30th, 2010

Hello Cisco Community,

I need to translate the outside global address for any IP from the Internet when heading to a particular inside local address to a pool of local private ip addresses that are routable within my private EIGRP topology.  What is the best way to match that traffic, extended ACL or route-map w/ extended ACL?  I already have a static inside nat mapping for this host (ip nat inside source static 'inside local' 'inside global') to change the inside global address to an inside local address that can route in my network.  Each external client that accesses our Outlook Web Access service will need to be assigned a unique outside local address since they will all be accessing TCP port 433 from out ISA proxy.  On the ISA host, I will route traffic for 10.10.10.0 255.255.255.0 via a static route so that Outlook Web Access traffic head down our backbone network, while web proxy (web surfing) traffic head out a cable router via 0.0.0.0 0.0.0.0.  Make sense?

Here is the config I was thinking about below.  Any suggestions?  I assume I need a loopback address so I can attach the NAT pool's network to it and then inject that route into my EIGRP topology.

!

ip nat inside source static 'inside local' 'inside global'  (This already exists in the router)

ip nat outside source route-map 'route-map-name' pool 'pool-name'

ip nat pool 'pool-name' 10.10.10.2 10.10.10.254 netmask 255.255.255.0 type rotary

route-map permit 'route-map-name'

     match ip address 100

!

access-list 100 permit ip any host 'inside-global-ip-addr'

!

interface loopback1

ip address 10.10.10.1 netmask 255.255.255.0

!

router eigrp 1

network 10.10.10.0 0.0.0.255

!

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

Not sure what a route-map gains you in this instance as it any address to a specific host so an extended acl should do the trick.

Yes you need to advertise the pool network internally so using a loopback on your router and then advertising via EIGRP is a sensible way to go.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/30/2010 - 07:03

Not sure what a route-map gains you in this instance as it any address to a specific host so an extended acl should do the trick.

Yes you need to advertise the pool network internally so using a loopback on your router and then advertising via EIGRP is a sensible way to go.

Jon

Sam Oesterling Fri, 04/30/2010 - 07:05

Yeah I'm not sure what the route-map gives me either.

Thanks for your input.  I will use an extended ACL.

Actions

This Discussion