Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Subinterfaces and NAT

Hello,

Is it possible to run NAT inside on a sub interface (int f0/0.100) and not run NAT on another subinteface (int f0/0.101)?

7 REPLIES
Hall of Fame Super Blue

Re: Subinterfaces and NAT

Hi

Wasn't 100% sure myself so i just labbed it up and yes it works fine. As long as you just apply the "ip nat inside" statement to the subinterface only it will work.

Jon

Community Member

Re: Subinterfaces and NAT

Would it be possible to help me with the config? Maybe a post of a working config? I can't seem to get it to work.

Thanks for the response...

Jesse

Hall of Fame Super Blue

Re: Subinterfaces and NAT

Jesse

Sounds like it may be more of a NAT config issue that a subinterface one. Here is the basic config i used

interface FastEthernet0/0

ip address 192.168.7.2 255.255.255.252

ip nat outside

ip pim sparse-mode

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip pim sparse-mode

duplex auto

speed auto

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 10.9.1.1 255.255.255.240

ip nat inside

!

interface FastEthernet0/1.41

encapsulation dot1Q 41

ip address 172.16.8.1 255.255.255.240

!

!

ip nat inside source list 101 interface FastEthernet0/0 overload

access-list 101 permit ip host 10.9.1.2 host 192.168.22.2

When you test this could you run

"debug ip nat" - that will show you what is happening with NAT and also

"sh ip nat translations".

Could you also post your config.

Jon

Community Member

Re: Subinterfaces and NAT

Hello,

I will post my config asap. I got called to a custoemer, but will setup this config on my lab router. Thanks for the response.

One question though... The access list, could I just match my interal nat'd subnet and do this to allow all traffic out

"access-list 101 permit ip any any"

jesse

Hall of Fame Super Blue

Re: Subinterfaces and NAT

Jesse

yes, you can match what you need to in your access-list.

Jon

Community Member

Re: Subinterfaces and NAT

Hello,

I am also having an issue with a VPN group on my PIX. I have an internal IP range of 192.168.0.0 /24 and when users VPN to the PIX they are getting an IP from a pool of 192.168.99.0/24. Clients that VPN can access everything on the internal network of the PIX, but I need them to be able to access network we have outside the PIX, but still on our network. Also, it with the pIX client, users are using the PIX as their gateway to the outside world.

Jesse

Community Member

Re: Subinterfaces and NAT

I meant that user that are VPN to the PIX, that are using Cisco VPN client are NOT using the PIX as theur gateway to the outside world. Internal ip addresses behind the PIX are accessable to the client (192.168.0.xxx), but if I tracert to lets say google.com the tracert goes through my internet connection at home, and not through the network PIX, which is what I need to happen.

Jesse

367
Views
0
Helpful
7
Replies
CreatePlease to create content