Mutiple NAT pools for mutiple WAN circuits

Unanswered Question
Jul 22nd, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

I have a 3845 with a one T1 we use for public DNS queries and DNS transfers. We are doing NAT on the outside. Nothing else is on that T1. It’s only for DNS.

Now I am adding a DS3 circuit on the same 3845 for Internet access for users on my LAN. We are going to NAT on the outside as well. How can I set up different NAT pools for different interfaces? Does anyone have an example of what that looks like?


Many thanks for all help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

ip nat inside source access-list 101 interface DS3 overload


access-list 101 will contain allowed subnets to be natted to DS3 and the overload keyword is basically saying that this is a PAT and not NAT.


maybe you can have the same nat statement for the DNS so that you can control what gets translated on this router.


Hope this helps


Regards

Syed

Marwan ALshawi Thu, 07/29/2010 - 19:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

use the bellow document and this will help you to configure it


https://supportforums.cisco.com/docs/DOC-831


note:

the bellow route-maps very importanant


oute-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1


for more details refer to the above link


also in this document you see the NAT configured something like


ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload


however you you want to use NAT pools you can ccreat two pools for exampel pool1 and pool 2

then apply each on to the right NAT line ( where the route map match the OUTGOUNG interface


good luck

if helpful Rate

pener1963 Thu, 08/05/2010 - 05:59
User Badges:

OK I am trying to understand this. I dont want to break anything like DNS so my next question would be:


Can I keep the current config as is and introduce policy NATing for the new DS3 circuit without touching the old stuff?

pener1963 Thu, 08/05/2010 - 06:27
User Badges:

Here is the current config. Like I said before the T1 is used for public DNS qureies and zone transfers only.If you need to see more I can supply...


ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
ip nat inside source static 10.1.4.221 175.211.21.206
ip nat inside source static 192.168.40.11 209.99.98.21
ip nat inside source static 192.168.40.12 209.99.98.22
ip nat outside source list NAT_outside pool nat_pool_outside


interface Serial0/0/0:1
description Qwest - T1
ip address 63.63.63.138 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside


interface GigabitEthernet0/0.10
description to Edge Firewall
encapsulation dot1Q 10
ip address 172.31.1.8 255.255.255.240
ip nat inside


ip route 0.0.0.0 0.0.0.0 63.63.63.137


192.168.40.11

192.168.40.12 are the DNS servers on the DMZ


Like I said, I have a new DS3 where VPN users are going to come in. The FW will put them in a subnet and then I will route map based on that sunbet?


Confused...

Nagaraja Thanthry Thu, 08/05/2010 - 09:58
User Badges:
  • Cisco Employee,

Hello,


You could use NAT virtual interface for what you are trying to acheive.


interface

no ip nat outside

ip nat enable

exit


interface

no ip nat inside

ip nat enable

exit


Once this is done, remove all the NAT confiugrations and reenter them:


no ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
no ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
no ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
no ip nat inside source static 10.1.4.221 175.211.21.206
no ip nat inside source static 192.168.40.11 209.99.98.21
no ip nat inside source static 192.168.40.12 209.99.98.22
no ip nat outside source list NAT_outside pool nat_pool_outside


ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
ip nat inside source static 10.1.4.221 175.211.21.206
ip nat inside source static 192.168.40.11 209.99.98.21
ip nat inside source static 192.168.40.12 209.99.98.22
ip nat outside source list NAT_outside pool nat_pool_outside



Then, you need to configure PBR for the DNS traffic:


access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 53


route-map DNS

match ip address 101

set ip next-hop

exit


interface

ip policy route-map DNS

exit



This will ensure that DNS traffic goes through T1 and uses T1 pool where as all other traffic goes through DS3 and uses appropriate pool.


Hope this helps.


Regards,


NT

pener1963 Thu, 08/05/2010 - 11:06
User Badges:

OK so in your solution you say:



interface

no ip nat outside

ip nat enable

exit


We are talking about the T1 interface here right? Or our we creating a interface? Never heard if NAT vitual interface.


Also, would I want to remove the default route in I am using the route -maps?


Many thanks,


P.

Nagaraja Thanthry Thu, 08/05/2010 - 11:43
User Badges:
  • Cisco Employee,

Hello,


We are talking about the T1 interface. When you just enable NAT on the interface, the router creates a virtual NAT interface (NVI) and applies all nat rules via that interface. So, based on the exit interface, the NVI will apply the NAT rules.


BTW, you need to do the same i.e. enable NAT on the DS3 interface as well.


Hope this helps.


Regards,


NT

pener1963 Thu, 08/05/2010 - 11:48
User Badges:

Thanks for answering my post. I really appreciate it!


But if I have different NAT policies for the T1 and DS3, how can apply the different policies to the phsical interfaces?


Sorry if you have already explained this.


MANY MANY Thanks!

Nagaraja Thanthry Thu, 08/05/2010 - 12:36
User Badges:
  • Cisco Employee,

Hello,


When you use Nat Virtual Interface (NVI), the router will apply NAT rules as per your configuration i.e. if you define a different rule for T3 interface than T1, then the NVI will apply those rules accordingly.


Hope this helps.


Regards,


NT

Actions

This Discussion