Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACL for PAT

hi experts,

i have static NAT on a set of private IP range mapped to public IP addresses. due to no more public IP address available, i would like to set PAT for the remaining private IP range and overload it on the WAN IP. i'm choosing which ACL for PAT for private IP address range 192.168.4.64 - .254 is correct?

ip nat inside source static 192.168.4.2 210.x.x.x --> STATIC NAT FROM 192.168.4.2 - .63

ip nat inside source list 10 interface FastEthernet0/0 overload 

access-list 10 permit 192.168.4.64  0.0.0.255 --> PAT FROM 192.168.4.64 - .255

OR

access-list 10 permit 192.168.4.64  0.0.0.191

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL for PAT

johnlloyd_13 wrote:

hi experts,

i have static NAT on a set of private IP range mapped to public IP addresses. due to no more public IP address available, i would like to set PAT for the remaining private IP range and overload it on the WAN IP. i'm choosing which ACL for PAT for private IP address range 192.168.4.64 - .254 is correct?

ip nat inside source static 192.168.4.2 210.x.x.x --> STATIC NAT FROM 192.168.4.2 - .63

ip nat inside source list 10 interface FastEthernet0/0 overload 

access-list 10 permit 192.168.4.64  0.0.0.255 --> PAT FROM 192.168.4.64 - .255

OR

access-list 10 permit 192.168.4.64  0.0.0.191

John

You cannot cover the whole range with one entry - try this

access-list 101 permit ip 192.168.4.64 0.0.0.63 any

access-list 101 permit ip 192.168.4.128 0.0.0.127 any

ip nat inside source list 101 interface fa0/0 overload

Jon

4 REPLIES
Hall of Fame Super Blue

Re: ACL for PAT

johnlloyd_13 wrote:

hi experts,

i have static NAT on a set of private IP range mapped to public IP addresses. due to no more public IP address available, i would like to set PAT for the remaining private IP range and overload it on the WAN IP. i'm choosing which ACL for PAT for private IP address range 192.168.4.64 - .254 is correct?

ip nat inside source static 192.168.4.2 210.x.x.x --> STATIC NAT FROM 192.168.4.2 - .63

ip nat inside source list 10 interface FastEthernet0/0 overload 

access-list 10 permit 192.168.4.64  0.0.0.255 --> PAT FROM 192.168.4.64 - .255

OR

access-list 10 permit 192.168.4.64  0.0.0.191

John

You cannot cover the whole range with one entry - try this

access-list 101 permit ip 192.168.4.64 0.0.0.63 any

access-list 101 permit ip 192.168.4.128 0.0.0.127 any

ip nat inside source list 101 interface fa0/0 overload

Jon

Re: ACL for PAT

hi jon,

thanks for your feedback! is standard ACL also applicable for this case?

access-list 10 permit ip 192.168.4.64 0.0.0.63

access-list 10 permit ip 192.168.4.128 0.0.0.127

ip nat inside source list 10 interface fa0/0 overload

Hall of Fame Super Blue

Re: ACL for PAT

johnlloyd_13 wrote:

hi jon,

thanks for your feedback! is standard ACL also applicable for this case?

access-list 10 permit ip 192.168.4.64 0.0.0.63

access-list 10 permit ip 192.168.4.128 0.0.0.127

ip nat inside source list 10 interface fa0/0 overload

John

I always use an extended list because i have seen cases where a standard acl just doesn't work.

Jon

Re: ACL for PAT

thanks jon! will try what you suggested.

561
Views
5
Helpful
4
Replies
CreatePlease to create content