Can you use a L3/SVI vlan interface as a NAT inside or NAT outside interface?
Someone said their NATing did not work until they migrated from an SVI for the NAT outside interface to a physical interface.
C6500 supports NAT (it is the only multilayer switch) and supports it on SVIs as well as routed interfaces.
All other multilayer switches don't support NAT.
some small routers like c877 support only SVI L3 interfaces and again ip nat commands are applied to them.
My understanding is that you need a L3 interface to apply the command
ip nat inside|outside.
But I realize that you are probably wondering about ISR routers with etherswitch modules!
Searching on cco for me is very very slow tonight.
Hope to help
"But I realize that you are probably wondering about ISR routers with etherswitch modules!"
LOLOLOL!! BINGO! Awesome, dude! That is exactly what I am wondering. This guy is using a 2811 with the ethernet NM.
I was surprised when he said that his NAT worked when he migrated the "ip nat outside" command to a physical interface from an SVI.
Let me know when you find out...lol
From my experience on 6500 the answer is yes - SVI is just another L3 interface as far as NAT is concerned.
I should have been more precise. As Giuseppe guessed (damn, hes good! lol), I was taking about the ISR routers wih the NM modules that allow you to configure SVIs. Thats what the client was using.
Yep Giuseppe is one of the best !
Q. Is it possible to apply NAT on a switch virtual interface (SVI) for CiscoÂ® Integrated Services Routers?
A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.
Full link -
I got this from the client. His English is difficult to understand when he speaks, but his writing is OK.
By the way, Im assuming, since he said his NATing works now, that he has left out extraneous ip address configs, etc, and is just presenting the NAT portion.
"Here is my config for the nat:
Ip nat inside
Ip nat outside
Ip nat inside source static 10.41.207.231 220.127.116.11
I want to restrict access to 10.41.207.231 via 18.104.22.168 by only allowing subnet 22.214.171.124/24"
From what I gather, he is asking about a simple security ACL that would look like this:
access-list 110 permit ip 126.96.36.199 0.0.0.25 host 188.8.131.52
ip access-group 110 in
Since ACL processing is the first thing that would be done on either a NAT inside or NAT outside interface, the destination host should be the NAT'ed (global outside) address. Seems pretty straightforward.
Are you reading his question differently?
The ACL will need more ACEs, for instance:
access-list 110 permit ip 184.108.40.206 0.0.0.255 host 220.127.116.11
access-list 110 deny ip any host 18.104.22.168
access-list 110 permit ip any any
You don't want to block the rest of the traffic with the implicit deny all.
Yes, I'm reading the question the same way you are.
Good point, I have to make sure I am reading him right with regard to which traffic he wants to deny. From his request, it seems like he wants to deny everything, except for that one 206 network, heading to that one server. In other words, I think that the router is servicing that one connection to his server and thats it. Thats why I left the implicit deny all intact. But I may be wrong.
By the way, long time...life OK? I was at 1 Penn the other day and was tempted to look you up at the Cisco office but I didnt want to intrude....
Yes, life is good - thanks for asking. Hoping your life is good too :)
I rarely go to One Penn. I spend most of my time at customer sites.
Apologies for being a bit slow on the uptake. The etherswitch modules are based on the 3750's so no you won't be able to do NAT on an SVI because you can't on the 3750 switch.
That makes sense....but his configuration does work when he uses the vlan interface as the NAT inside. He is using a physical interface as the NAT outside.
No worries about being "slow". I appreciate all your time, always.