Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Rookie question: Nat all internal networks to one IP address when accessing the WAN subnet

Hi Everyone

 

Currently studying CCNA. I'm attempting to NAT any machine on an internal interface to an IP address on the wan interface

 

  1. Fast 0/1: 172.25.0.1/24
  2. Fast 0/0: 172.26.0.1/24
  3. Eth 1/0.18: 172.26.18.1/24
  4. Eth 1/0.19: 172.26.19.1/24

 

There are machines which connect via fast 0/0, and both Eth 1/0 sub interfaces.

 

Fast 0/1 connects to the internet via 172.25.0.254/24. I'd like to NAT everything from the internal interfaces(2,3,4) to 172.25.0.2 when they attempt to access the internet. I do not want them to NAT when they access other machines on the networks(which are locally connected to this router(2621XM))

 

The issue at the moment is that the internet router doesn't have a route back for the networks it doesn't have entries for. While writing routes back does fix the problem, I'd like to try it this way too(as a learning exercise)

 

Does that make sense?

 

TIA!

  • LAN Switching and Routing
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Yes it does make sense.1) on

Yes it does make sense.

1) on fa0/1 you need to add -

ip nat outside

2) on the other interfaces  -

ip nat inside

3) create your acl - 

access-list 101 permit ip 172.26.0.0 0.0.0.255 any

access-list 101 permit ip 172.26.18.0 0.0.0.255 any

access-list 101 permit ip 172.26.19.0 0.0.0.255 any

4) then add a NAT pool -

ip nat pool <name> 172.25.0.2 172.25.02 netmask 255.255.255.252

5) add a NAT statement to tie it altogether -

ip nat inside source list 101 pool <name> overload

the above should allow you to ping between the subnets and only translate the IPs to the pool IP if you are routed to the outside interface.

Note if you find that you cannot ping between subnets then you can modify the acl above to deny traffic between subnets before the permit statements.

However you shouldn't need to do this.

Jon

2 REPLIES
Hall of Fame Super Blue

Yes it does make sense.1) on

Yes it does make sense.

1) on fa0/1 you need to add -

ip nat outside

2) on the other interfaces  -

ip nat inside

3) create your acl - 

access-list 101 permit ip 172.26.0.0 0.0.0.255 any

access-list 101 permit ip 172.26.18.0 0.0.0.255 any

access-list 101 permit ip 172.26.19.0 0.0.0.255 any

4) then add a NAT pool -

ip nat pool <name> 172.25.0.2 172.25.02 netmask 255.255.255.252

5) add a NAT statement to tie it altogether -

ip nat inside source list 101 pool <name> overload

the above should allow you to ping between the subnets and only translate the IPs to the pool IP if you are routed to the outside interface.

Note if you find that you cannot ping between subnets then you can modify the acl above to deny traffic between subnets before the permit statements.

However you shouldn't need to do this.

Jon

New Member

That worked perfectly, thank

That worked perfectly, thank you!

55
Views
0
Helpful
2
Replies