Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to disallow some ips from NAT overload

ip nat pool nl_nat_pool 213.200.151.169 213.200.151.169 netmask 255.255.255.240

ip nat pool el_nat_pool 124.170.225.105 124.170.225.105 netmask 255.255.255.240

ip nat inside source route-map EL pool el_nat_pool overload

ip nat inside source route-map NL pool nl_nat_pool overload

--------------------------------------------------------------------------------

ip nat inside applied on internal network interface.

--------------------------------------------------------------------------------

Hello folks,

see the configuration above, we have 2 WAN interfaces and all the internal traffic nated here to access internet.

my current scenario is like. i don't want some Internal ips towards a particular destination NATed here.

i.e. say we have 5 vlans.

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0

all are overloaded at wan interface, now i want to exclude some IPs in Vlan 2 (192.168.3.0) from overloading. (This is for a site to site VPN). Do you peoples have any idea about this.

Anith.

4 REPLIES

Re: how to disallow some ips from NAT overload

The following example allows only ip's .10 and .192-.199 to be natted for Internet access:

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 10.70.200.10

access-list 1 permit 10.70.200.192 0.0.0.7

You may have to modify your access-lists to accomodate for this but in general, this is a solution to allow or disallow NAT for certain adresses.

regards,

Leo

New Member

Re: how to disallow some ips from NAT overload

tanks leo, i closed the other links.

and, did u ment my inside acces list. no acces list u kno.

*****

interface FastEthernet0/0

ip address 192.168.10.100 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

*****

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.255

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

****

route-map NL permit 10

description ***** To NL ******

match ip address RMED_LAN

match interface FastEthernet0/1/0

!

route-map EL permit 10

description ***** To el *****

match ip address RMED_LAN

match interface FastEthernet0/3/0

*****

anith

Re: how to disallow some ips from NAT overload

From what I understod of you config, you are using a route map to allow NAT. Currently, all ip's in the subnets are allowed. This can be changed as follows:

ip access-list standard RMED_LAN

permit 192.168.1.0 0.0.0.255

permit 192.168.2.0 0.0.0.127

permit 192.168.2.192 0.0.0.7

permit 192.168.3.0 0.0.0.255

permit 192.168.10.0 0.0.0.255

permit 192.168.15.0 0.0.0.255

With this (example) change, only 192.168.2.0-127 and 192-199 are allowed for NAT.

Leo

New Member

Re: how to disallow some ips from NAT overload

grt its working

158
Views
0
Helpful
4
Replies