Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IOS and conditional NAT operations

Is there a way that Cisco IOS can be configured to do conditonal NAT operations?

For example, as a default I want to NAT traffic coming into the router from some private IP space destined for most public space. But if the traffic on the private side needs to talk to some particular address on the public side of the router, such as a DHCP server (by IP address and/or by port), I'd like to keep the traffic un-NAT'ed.

For example:

interface FastEthernet0/0

ip address 1.2.3.5 255.255.255.192

ip nat outside

interface FastEthernet0/1

ip address 10.33.0.1 255.255.0.0

ip helper-address 1.2.3.4

ip nat inside

ip nat pool NAT-POOL 1.2.3.5 1.2.3.5 prefix-length 26

ip nat inside source list NAT-LIST pool NAT-POOL overload

ip access-list standard NAT-LIST

permit 10.33.100.0 0.0.0.255

Let's say I want to send traffic to the DHCP server at 1.2.3.4 coming from 10.33.100.0/24, but I do not want it NAT'ed. Can I play some some of trick to make an exception to the normal NAT'ing rule? I've seen some discussion that this might be done with a route-map statement, but I'm wondering if someone might be able to provide a working example.

Thanks.

Clarke Morledge

College of William and Mary

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: IOS and conditional NAT operations

You can use an extended ACL instead of a standard ACL and within the extended ACL deny the traffic sourcing from the group of addresses destined to the networks you don't want to NAT.

For instance:

ip access-list extended NAT-LIST

deny ip 10.33.100.0 0.0.0.255 host 1.2.3.4

permit ip 10.33.100.0 0.0.0.255 any

HTH,

__

Edison.

2 REPLIES
Hall of Fame Super Bronze

Re: IOS and conditional NAT operations

You can use an extended ACL instead of a standard ACL and within the extended ACL deny the traffic sourcing from the group of addresses destined to the networks you don't want to NAT.

For instance:

ip access-list extended NAT-LIST

deny ip 10.33.100.0 0.0.0.255 host 1.2.3.4

permit ip 10.33.100.0 0.0.0.255 any

HTH,

__

Edison.

Community Member

Re: IOS and conditional NAT operations

Edison,

That'll work nicely. Thanks!

Clarke Morledge

737
Views
0
Helpful
2
Replies
CreatePlease to create content