Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Blue

NAT Interfaces

Can you use a L3/SVI vlan interface as a NAT inside or NAT outside interface?

Someone said their NATing did not work until they migrated from an SVI for the NAT outside interface to a physical interface.

Thanks

12 REPLIES
New Member

Re: NAT Interfaces

I know you can use dot1q tagged sub-interfaces for the inside. Not sure about outside, or if it can be done with SVIs.

Hall of Fame Super Silver

Re: NAT Interfaces

Hello Victor,

C6500 supports NAT (it is the only multilayer switch) and supports it on SVIs as well as routed interfaces.

All other multilayer switches don't support NAT.

some small routers like c877 support only SVI L3 interfaces and again ip nat commands are applied to them.

My understanding is that you need a L3 interface to apply the command

ip nat inside|outside.

But I realize that you are probably wondering about ISR routers with etherswitch modules!

Searching on cco for me is very very slow tonight.

Hope to help

Giuseppe

Blue

Re: NAT Interfaces

Giuseppe:

"But I realize that you are probably wondering about ISR routers with etherswitch modules!"

LOLOLOL!! BINGO! Awesome, dude! That is exactly what I am wondering. This guy is using a 2811 with the ethernet NM.

I was surprised when he said that his NAT worked when he migrated the "ip nat outside" command to a physical interface from an SVI.

Let me know when you find out...lol

Thanks

Victor

Hall of Fame Super Blue

Re: NAT Interfaces

Hey Victor

From my experience on 6500 the answer is yes - SVI is just another L3 interface as far as NAT is concerned.

Jon

Blue

Re: NAT Interfaces

Hey, Jon:

I should have been more precise. As Giuseppe guessed (damn, hes good! lol), I was taking about the ISR routers wih the NM modules that allow you to configure SVIs. Thats what the client was using.

Victor

Hall of Fame Super Blue

Re: NAT Interfaces

Victor

Yep Giuseppe is one of the best !

Q. Is it possible to apply NAT on a switch virtual interface (SVI) for Cisco® Integrated Services Routers?

A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.

Full link -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Jon

Blue

Re: NAT Interfaces

Hey, guys:

I got this from the client. His English is difficult to understand when he speaks, but his writing is OK.

By the way, Im assuming, since he said his NATing works now, that he has left out extraneous ip address configs, etc, and is just presenting the NAT portion.

"Here is my config for the nat:

Int vlan22

Ip nat inside

Int gi0/3/0

Ip nat outside

Ip nat inside source static 10.41.207.231 64.13.49.55

I want to restrict access to 10.41.207.231 via 64.13.49.55 by only allowing subnet 206.173.47.0/24"

From what I gather, he is asking about a simple security ACL that would look like this:

access-list 110 permit ip 206.173.47.0 0.0.0.25 host 64.13.49.55

int gi0/3/0

ip access-group 110 in

Since ACL processing is the first thing that would be done on either a NAT inside or NAT outside interface, the destination host should be the NAT'ed (global outside) address. Seems pretty straightforward.

Are you reading his question differently?

Victor

Hall of Fame Super Bronze

Re: NAT Interfaces

Victor,

The ACL will need more ACEs, for instance:

access-list 110 permit ip 206.173.47.0 0.0.0.255 host 64.13.49.55

access-list 110 deny ip any host 64.13.49.55

access-list 110 permit ip any any

You don't want to block the rest of the traffic with the implicit deny all.

Yes, I'm reading the question the same way you are.

Blue

Re: NAT Interfaces

Good point, I have to make sure I am reading him right with regard to which traffic he wants to deny. From his request, it seems like he wants to deny everything, except for that one 206 network, heading to that one server. In other words, I think that the router is servicing that one connection to his server and thats it. Thats why I left the implicit deny all intact. But I may be wrong.

Thanks, Edison

By the way, long time...life OK? I was at 1 Penn the other day and was tempted to look you up at the Cisco office but I didnt want to intrude....

Hall of Fame Super Bronze

Re: NAT Interfaces

Yes, life is good - thanks for asking. Hoping your life is good too :)

I rarely go to One Penn. I spend most of my time at customer sites.

Hall of Fame Super Blue

Re: NAT Interfaces

Victor

Apologies for being a bit slow on the uptake. The etherswitch modules are based on the 3750's so no you won't be able to do NAT on an SVI because you can't on the 3750 switch.

Jon

Blue

Re: NAT Interfaces

That makes sense....but his configuration does work when he uses the vlan interface as the NAT inside. He is using a physical interface as the NAT outside.

No worries about being "slow". I appreciate all your time, always.

Thanks

1474
Views
24
Helpful
12
Replies