Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can I overload a single address contained in a directly connected subnet?

I now have a public IP space: 169.139.247.0/24, but rumor has it I'm shortly going to have only a /26. I moved all my public hosts into a 169.139.247.0/26 VLAN, then NATted the rest from a private 10. space. I wanted to just pick a single address from the /26 space, and started with:

ip nat pool intranet 169.139.247.8 169.139.247.8 netmask 255.255.255.255

but the router (3620, 12.2(6)) complained that I had to allocate at least a .252, so I tried again:

ip nat pool intranet 169.139.247.8 169.139.247.8 netmask 255.255.255.192

and it bought the config, but hosts on the inside VLAN couldn't talk to the outside world anymore (public hosts on the /26 worked fine). I've sidestepped the issue by using

ip nat pool intranet 169.139.247.65 169.139.247.65 netmask 255.255.255.192

for now, and it's working fine, but I'll eventually have to use an address from my /26 space, so I'm wondering how I do that. Or IF I can do that. (I'll accept that if I use it in the pool, I can't use it otherwise.) The docs say that translation occurs before routing on outside->inside traffic, so it would seem that it must know that .8 (for example) needs to be translated, but something's going awry somewhere.

I'm also curious why I can't use a .255 netmask to define a single address; there's no implication in the docs that a pool has to be a proper subnet, but that's the way it looks.

3 REPLIES

Re: Can I overload a single address contained in a directly conn

Options you can try:

1)ip nat pool intranet 169.139.247.2 169.139.247.2 netmask 255.255.255.252

ip nat inside source list x pool intranet overload

2) ip nat inside source list x interface Ethernet0/1 overload

3)ip nat pool intranet 169.139.247.8 169.139.247.8 netmask 255.255.255.192

ip nat inside source static 169.139.247.3 169.139.247.3 (for each public IP that you don't want to nat)

I have never seen a mask /32 with nat overload, always with the proper net mask (eg /24).

Hope it helps.

Steve

New Member

Re: Can I overload a single address contained in a directly conn

Thanks; I'm going to try door number 1:

ip nat pool intranet 169.139.247.8 169.139.247.8 netmask 255.255.255.252

ip nat inside source list x pool intranet overload

The DMZ (the public /26 space) is neither an inside nor outside interface, so none of the public addresses are NATted. I'm hopeful that as long as I don't assign pool addresses (e.g., .8-.11) to DMZ hosts, things will work OK, but I clearly need a better understanding of the internal workings of the NAT process.

Test time is Sunday; will let you know what happens.

New Member

Re: Can I overload a single address contained in a directly conn

It turns out that the pool address and mask are used to define what I call a "virtual subnet", and NAT will use neither the subnet address nor the broadcast address. Thus to define a single pool address, as I wanted to do, I have to define at least a /30 subnet, and cannot use either the subnet or broadcast address in that subnet. In my example, when I ultimately used

ip nat pool intranet 169.139.247.9 169.139.247.9 netmask 255.255.255.252

it worked fine. Neither .8 nor .11 worked, however. The Cisco engineer I worked with said the netmask was really used as a sanity check to make sure the start-ip and end-ip addresses in the pool made sense.

85
Views
0
Helpful
3
Replies
CreatePlease to create content