cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
7
Replies

How to segregate NAT ACL on Cat65K

cisco_lite
Level 1
Level 1

Hi,

There are three vlans on the core switch, VLAN 15,16,17

The traffic going from VLAN 15 into VLAN 16/17 should be NAT'ed. So VLAN 15 has ip nat inside and VLAN16/17 has ip nat outside. NAT is working fine from VLAN15 into VLAN16 with 'ip nat inside source static x x'.

How can I define the NAT'ed ip list for VLAN17 because I want to NAT the same source IP to a different IP when going into each of the other VLANs. I believe 'ip nat inside source' will not allow the same source ip to be natt'ed to different ip based on the destination VLAN.

How can this be achieved.

Thanks.

1 Accepted Solution

Accepted Solutions

Okay, try this -

vlan 15 = 192.168.5.0/24

vlan 16 = 192.168.10.0/24

vlan 17 = 192.168.11.0/24

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 permit ip 192.168.5.0 0.0.0.255

192.168.11.0 0.0.0.255

ip nat inside source static 192.168.5.10 172.22.1.1 route-map PNAT1 extendable

ip nat inside source static 192.168.5.10 172.22.1.2 route-map PNAT2 extendable

route-map PNAT1 permit 10

match ip address 101

route-map PNAT2 permit 10

match ip address 102

Note i have used 172.22.1.x addresses for NAT, obviously you need to substitute with what you have.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Do you need to use static NAT entries ?

The easiest thing to do would be to use PAT on the vlan 16 & vlan 17 interfaces ie.

vlan 15 = 192.168.5.0/24

vlan 16 = 192.168.10.0/24

vlan 17 = 192.168.11.0/24

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 permit ip 192.168.5.0 0.0.0.255

192.168.11.0 0.0.0.255

ip nat inside source list 101 interface vlan16 overload

ip nat inside source list 102 interface vlan17

overload

If you do need static NAT then obviously ignore the above :-)

Jon

Yes, I need to use static NAT. I was facing some other issues with PAT.

Can I use something like policy based NAT'ing etc.

Okay, try this -

vlan 15 = 192.168.5.0/24

vlan 16 = 192.168.10.0/24

vlan 17 = 192.168.11.0/24

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 permit ip 192.168.5.0 0.0.0.255

192.168.11.0 0.0.0.255

ip nat inside source static 192.168.5.10 172.22.1.1 route-map PNAT1 extendable

ip nat inside source static 192.168.5.10 172.22.1.2 route-map PNAT2 extendable

route-map PNAT1 permit 10

match ip address 101

route-map PNAT2 permit 10

match ip address 102

Note i have used 172.22.1.x addresses for NAT, obviously you need to substitute with what you have.

Jon

John,

I just wanted to thank you for all your helpful posts, and this one was another learning deal for me. I learn quite a bit from Pros like yourself

Steven

Many thanks for your kind words.

Jon

Thanks John.

One more on the same...Is it correct that usage of route-map does not necessitate applying 'ip policy' on the interface.

"Is it correct that usage of route-map does not necessitate applying 'ip policy' on the interface"

Correct, here is a copy of the config i used to test setup -

interface Loopback10

ip address 10.5.1.20 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.5.5 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 172.16.5.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

router eigrp 1

network 10.0.0.0

network 172.16.0.0

network 192.168.5.0

no auto-summary

!

ip forward-protocol nd

!

!

ip http server

ip nat inside source static 172.16.5.2 10.5.1.1 route-map PNAT extendable

ip nat inside source static 172.16.5.2 10.5.1.2 route-map PNAT1 extendable

!

access-list 101 permit ip host 172.16.5.2 host 172.16.6.2

access-list 102 permit ip host 172.16.5.2 host 172.16.7.2

route-map PNAT permit 10

match ip address 101

!

route-map PNAT1 permit 10

match ip address 102

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco