×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT equivalents to IPTables

Unanswered Question
Sep 16th, 2014
User Badges:

I am replacing a Linux router with a Cisco device. The Linux device provides NAT services, and I have successfully configured inbound access from public addresses to private addresses. However, the Linux router has IPTables configuration as shown below which I cannot replicate in Cisco:

-A POSTROUTING -s 10.5.10.41/32 -d ! 10.5.0.0/16 -j SNAT --to-source xx.yy.124.161 (sanitised public address)

I translated this as meaning "For packets with a source address of 10.5.10.41 and a destination address outside the range 10.5.0.0/16, then translate the destination address to xx.yy.124.161

On that basis, I created the following configuration

ip access-list extended corenat1

 deny   ip host 10.5.10.41 10.5.0.0 0.0.255.255

 remark denies traffic source 10.5.10.41 dest 10.5.0.0 0.0.255.255

 permit ip host 10.5.10.41 any

 remark permits traffic source 10.5.10.41 to any

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252

ip nat inside source list corenat1 pool natpool1

This was intended to identify the traffic to nat (access-list corenat1), then create a nat pool with one address in it, and finally NAT the identified traffic to the new address. It does not work, and I'm not seeing any translations occurring from these commands. The NAT router simply returns "unavailable" when pinging is attepted

Am I doing something wrong, or is this just not possible?

 

Thanks

 

Jim 

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Walter Astori Tue, 09/16/2014 - 03:25
User Badges:

Can you see the following configuration :

access-list 101 deny ip host 10.5.10.41 10.5.0.0 0.0.255.255
access-list 101 permit ip host 10.5.10.41 ant
access-list 1 permit ip host 10.5.10.41

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252
ip nat inside source list 1 pool natpool1

interface Fa0/1
 ip nat outside
 ip access-group 101 out

Jim Blake Tue, 09/16/2014 - 04:10
User Badges:

Hi Walter,

Thanks for the interest. Your suggestion will apply the access-group to the interface, and will manage packets going in/out of the interface. My access-list was to direct certain traffic to the NAT-RULES, not the interface, so that there was no permit/deny on the interface, but a selection of traffic to which NAT-ing was applied....is my way of working possible?

Walter Astori Tue, 09/16/2014 - 05:19
User Badges:

I think that you can use the access-group in the interface for the traffic input/output and you can use the access-list 1 for the traffic that you want nat

Actions

This Discussion