Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3065
Views
0
Helpful
3
Replies

NAT equivalents to IPTables

Jim Blake
Level 1
Level 1

‎09-16-2014 02:17 AM - edited ‎03-07-2019 08:46 PM

I am replacing a Linux router with a Cisco device. The Linux device provides NAT services, and I have successfully configured inbound access from public addresses to private addresses. However, the Linux router has IPTables configuration as shown below which I cannot replicate in Cisco:

-A POSTROUTING -s 10.5.10.41/32 -d ! 10.5.0.0/16 -j SNAT --to-source xx.yy.124.161 (sanitised public address)

I translated this as meaning "For packets with a source address of 10.5.10.41 and a destination address outside the range 10.5.0.0/16, then translate the destination address to xx.yy.124.161

On that basis, I created the following configuration

ip access-list extended corenat1

 deny   ip host 10.5.10.41 10.5.0.0 0.0.255.255

 remark denies traffic source 10.5.10.41 dest 10.5.0.0 0.0.255.255

 permit ip host 10.5.10.41 any

 remark permits traffic source 10.5.10.41 to any

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252

ip nat inside source list corenat1 pool natpool1

This was intended to identify the traffic to nat (access-list corenat1), then create a nat pool with one address in it, and finally NAT the identified traffic to the new address. It does not work, and I'm not seeing any translations occurring from these commands. The NAT router simply returns "unavailable" when pinging is attepted

Am I doing something wrong, or is this just not possible?

 

Thanks

 

Jim 

 

 

Labels:
0 Helpful
3 Replies 3

Walter Astori
Level 1
Level 1

‎09-16-2014 03:25 AM

Can you see the following configuration :

access-list 101 deny ip host 10.5.10.41 10.5.0.0 0.0.255.255
access-list 101 permit ip host 10.5.10.41 ant
access-list 1 permit ip host 10.5.10.41

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252
ip nat inside source list 1 pool natpool1

interface Fa0/1
 ip nat outside
 ip access-group 101 out

0 Helpful

Jim Blake
Level 1
Level 1
In response to Walter Astori

‎09-16-2014 04:10 AM

Hi Walter,

Thanks for the interest. Your suggestion will apply the access-group to the interface, and will manage packets going in/out of the interface. My access-list was to direct certain traffic to the NAT-RULES, not the interface, so that there was no permit/deny on the interface, but a selection of traffic to which NAT-ing was applied....is my way of working possible?

0 Helpful

Walter Astori
Level 1
Level 1
In response to Jim Blake

‎09-16-2014 05:19 AM

I think that you can use the access-group in the interface for the traffic input/output and you can use the access-list 1 for the traffic that you want nat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card