Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT equivalents to IPTables

I am replacing a Linux router with a Cisco device. The Linux device provides NAT services, and I have successfully configured inbound access from public addresses to private addresses. However, the Linux router has IPTables configuration as shown below which I cannot replicate in Cisco:

-A POSTROUTING -s 10.5.10.41/32 -d ! 10.5.0.0/16 -j SNAT --to-source xx.yy.124.161 (sanitised public address)

I translated this as meaning "For packets with a source address of 10.5.10.41 and a destination address outside the range 10.5.0.0/16, then translate the destination address to xx.yy.124.161

On that basis, I created the following configuration

ip access-list extended corenat1

 deny   ip host 10.5.10.41 10.5.0.0 0.0.255.255

 remark denies traffic source 10.5.10.41 dest 10.5.0.0 0.0.255.255

 permit ip host 10.5.10.41 any

 remark permits traffic source 10.5.10.41 to any

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252

ip nat inside source list corenat1 pool natpool1

This was intended to identify the traffic to nat (access-list corenat1), then create a nat pool with one address in it, and finally NAT the identified traffic to the new address. It does not work, and I'm not seeing any translations occurring from these commands. The NAT router simply returns "unavailable" when pinging is attepted

Am I doing something wrong, or is this just not possible?

 

Thanks

 

Jim 

 

 

3 REPLIES
Community Member

Can you see the following

Can you see the following configuration :

access-list 101 deny ip host 10.5.10.41 10.5.0.0 0.0.255.255
access-list 101 permit ip host 10.5.10.41 ant
access-list 1 permit ip host 10.5.10.41

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252
ip nat inside source list 1 pool natpool1

interface Fa0/1
 ip nat outside
 ip access-group 101 out

Community Member

Hi Walter,Thanks for the

Hi Walter,

Thanks for the interest. Your suggestion will apply the access-group to the interface, and will manage packets going in/out of the interface. My access-list was to direct certain traffic to the NAT-RULES, not the interface, so that there was no permit/deny on the interface, but a selection of traffic to which NAT-ing was applied....is my way of working possible?

Community Member

I think that you can use the

I think that you can use the access-group in the interface for the traffic input/output and you can use the access-list 1 for the traffic that you want nat

869
Views
0
Helpful
3
Replies
CreatePlease to create content