Re: Static NAT with exclusion

ds5879.cisco · ‎03-25-2009

I would like to be able to NAT a specific address from one private IP to another to help with a routing issue we can't get around and just wanted to verify that the config below will do what I am looking for?

conf t

access-list 101 permit ip host 192.168.1.6 host 172.16.0.1

route-map transStatic permit 10

match ip address 101

ip nat inside source static 192.168.1.6 172.16.0.1

int x/x

ip nat inside

int x/y

ip nat outside

What I want is to translate 192.168.100.6 -> 172.16.0.1. However, this is the ONLY thing I want translated. I do not want any other traffic to/from 192.168.100.6 being translated. If there are any other ways to do this I would be open to those also. Thanks!

Jon Marshall · ‎03-25-2009

If all you want to do is translate 192.168.1.6 to 172.16.0.1 then you do not need -

1) the acl 101

2) the route-map transStatic

You were not referencing the route-map in your static translation anyway. So all you need is

ip nat inside source static 192.168.1.6 172.16.0.1

int x/x

ip nat inside

int x/y

ip nat outside

nothing else will be natted.

You would use a route-map with an acl if you wanted to NAT 192.168.1.6 to 172.16.0.1 but only if the destination was a specific address/subnet eg.

access-list 101 permit ip host 192.168.1.6 host 10.5.5.1

route-map transStatic permit 10

match ip address 101

ip nat inside source static 192.168.1.6 172.16.0.1 route-map transStatic

int x/x

ip nat inside

int x/y

ip nat outside

the above config would NAT 192.168.1.6 to 172.16.0.1 only if the destination that 192.168.1.6 was going to was 10.5.5.1.

Jon

ds5879.cisco · ‎03-25-2009

Sorry about the typo with forgetting to add the route map..

Yea what you said is understood. But, I am essentially trying to create a noNAT like a PIX does. We have other PC's that connect to that host that I don't want translated.

I was thinking that if I did an ACL that denied anything from that host to the subnet in question (192.168.200.x) and then matched that in a route-map it would be like saying "only translate if not talking with that subnet"?

Jon Marshall · ‎03-25-2009

This is getting a bit confusing so can you post

1) Source address you want translated

2) address you want it translated to

3) destination address that the source is trying to reach if this is applicable.

It's still a little unclear. By using "ip nat inside" and "ip nat outside" under interfaces nothing is translated until you add additional config.

Jon

ds5879.cisco · ‎03-26-2009

What I want is the following...

source = 192.168.100.6

destination = any

exception to NAT = 192.168.200.0/24

So basically I want to NAT 192.168.100.6 to 172.16.0.1 as long as the traffic is NOT destined for 192.168.200.0/24. Traffic from 192.168.100.6 destined to anything else will get NAT'd to 172.16.0.1. If 192.168.100.6 is talking to the 192.168.200.0/24 network then I don't want any NAT going on.

Thanks!

Hopefully that may clear it up a bit?

Jon Marshall · ‎03-26-2009

access-list 101 deny ip host 192.168.100.6 192.168.200.0 0.0.0.255

access-list 101 permit ip host 192.168.100.6 any

route-map transStatic permit 10

match ip address 101

ip nat inside source static 192.168.1.6 172.16.0.1 route-map transStatic

int x/x

ip nat inside

int x/y

ip nat outside

Jon