Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

nat

Hi every body.

i have few questions about nat.

static nat:

please consider the following case:

h1(10.10.10.1)----f0(Route)So----internet

Router:

int fo

10.10.10.2/24

ip nat inside

Int so

ip address 200.200.200.1/24

ip nat outside.

ip nat inside source static 10.10.10.2 int s0

Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?

How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?

thanks a lot.

7 ACCEPTED SOLUTIONS

Accepted Solutions

Re: nat

Sarah,

The easiest way is:

access-list 10 permit ip 10.10.10.0 0.0.0.255

ip nat inside source list 10 int s0 overload

HTH,

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Bronze

Re: nat

Sarah,

Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?

Yes.

How about the following :

ip nat inside source int so.

The source must be internal - in your case that's the external interface.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?

You will need the following:

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list 101 interface s0 overload

Hall of Fame Super Blue

Re: nat

Sarah

"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"

Yes it will.

"How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"

No it won't as there is no option to put the "int" keyword straight after the "source" keyword.

To achieve what you want you need -

access-list 1 permit any

ip nat inside source list 1 int s0/0 overload

Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.

Jon

Hall of Fame Super Bronze

Re: nat

Sarah,

You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.

On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.

You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.

HTH,

__

Edison.

Hall of Fame Super Bronze

Re: nat

Sarah,

Your understanding is correct. That's often called 'conditional natting'

HTH,

__

Edison.

Hall of Fame Super Blue

Re: nat

Sarah

"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"

Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)

"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."

This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.

Jon

Hall of Fame Super Blue

Re: nat

Sarah

"int e0

ip address 10.10.1.1/8

ip nat inside

int s0

ip address 200.200.200.1/24

access-list 1 permit host 10.10.1.1

ip nat inside source list 1 int s0

will the above config work ?"

Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1

Your second example will also work although you need to modify your config -

ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0

ip nat inside source list 1 pool zee overload

What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.

Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.

Have a good weekend yourself.

Jon

11 REPLIES

Re: nat

Sarah,

The easiest way is:

access-list 10 permit ip 10.10.10.0 0.0.0.255

ip nat inside source list 10 int s0 overload

HTH,

John

HTH, John *** Please rate all useful posts ***
Bronze

Re: nat

Thanks John.

My intention is learn how different parameters in the command " ip nat inside source " work.

My book mentioned different forms of nat. One of nat , i was studying is static nat.

The book only mention one way to perform static nat. So i was left wondering if i could perform static nat as:

ip nat inside source 10.10.10.1 int s0

I found out i can.

Thanks a lot John and you have a nice weekend.

Hall of Fame Super Bronze

Re: nat

Sarah,

You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.

On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.

You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.

HTH,

__

Edison.

Hall of Fame Super Bronze

Re: nat

Sarah,

Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?

Yes.

How about the following :

ip nat inside source int so.

The source must be internal - in your case that's the external interface.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?

You will need the following:

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list 101 interface s0 overload

Hall of Fame Super Blue

Re: nat

Sarah

"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"

Yes it will.

"How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"

No it won't as there is no option to put the "int" keyword straight after the "source" keyword.

To achieve what you want you need -

access-list 1 permit any

ip nat inside source list 1 int s0/0 overload

Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.

Jon

Bronze

Re: nat

Thanks John.

just out of curiosity, if i have following config.

ip nat inside source list 111 int s0 overload.

access-list 111 permit tcp 199.199.199.0 0.0.0.255 host 2.2.2.2 eq www

Does the above config tell the router perform nat only for hosts which fulfil the criteria set out in access-list 111. That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2.

If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111.

Is my understanding correct ?

thanks a lot .

Hall of Fame Super Bronze

Re: nat

Sarah,

Your understanding is correct. That's often called 'conditional natting'

HTH,

__

Edison.

Hall of Fame Super Blue

Re: nat

Sarah

"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"

Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)

"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."

This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.

Jon

Bronze

Re: nat

Very good catch John.

How about following config;

int e0

ip address 10.10.1.1/8

ip nat inside

int s0

ip address 200.200.200.1/24

access-list 1 permit host 10.10.1.1

ip nat inside source list 1 int s0

will the above config work ?

===============================

How about if i configure:

ip nat pool zee 200.1.1.0 netmask 255.255.255.0

ip nat inside source list 1 pool zee overload

Is the above config correct?

thanks and have a nice weekend.

Hall of Fame Super Blue

Re: nat

Sarah

"int e0

ip address 10.10.1.1/8

ip nat inside

int s0

ip address 200.200.200.1/24

access-list 1 permit host 10.10.1.1

ip nat inside source list 1 int s0

will the above config work ?"

Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1

Your second example will also work although you need to modify your config -

ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0

ip nat inside source list 1 pool zee overload

What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.

Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.

Have a good weekend yourself.

Jon

Bronze

Re: nat

Hi John.

First of all thank for repying to my lond winded post.

I am little confused here, as you mentioned Acl has no effect on locally generated packets. Acl only affects the transit packets. My weird example, I briefly describe again as follows for reference:

"int e0

ip address 10.10.1.1/8

ip nat inside

int s0

ip address 200.200.200.1/24

access-list 1 permit host 10.10.1.1

ip nat inside source list 1 int s0

as you mentioned in your post, router still able to peform nat for a locally generated packet.

The question is why?

i am thinking and in the meantime if someone finds or knows the answer ,please share with us

Thanks a lot.

179
Views
0
Helpful
11
Replies