NAT - need different NAT policy per interface

kbyrd · ‎07-28-2013

I have a WAN router (2911, IOS 15.2M) with a NAT policy supporting a WAN backup using L2L VPN (DSL connected to an ethernet interface, IP NAT OUTSIDE, NAT overload.) Two IP NAT INSIDE interfaces are on the router: one for data, one for IP Phones.

I have a new requirement to NAT access to a specific server which will require me to put an IP NAT OUTSIDE on the WAN Interface. When I do this, I lose access to my router because of the conflict between the NAT policy that is appropriate for the DSL interface for VPN and my requirement for the WAN interface. Ideally, IP NAT OUTSIDE on the WAN interface and IP NAT INSIDE only for the inside data interface.

Is there a way to set up independent NAT policies and bind them to specific Interfaces?

Seb Rupik · ‎07-29-2013

Hi there,

You should be able to apply an extended ACL to the NAT rule which will NAT based on destination.

Any chance you can post the router config so we can work out what the correct commands might be?

cheers,

Seb.

Richard Burts · ‎07-29-2013

While it is an appealing thought, using extended access list will not allow you to specify the NAT for a specific interface. To accomplish this you should configure the NAT using route maps rather than just access list. In the route map you would have 2 match statements. One statement would match the interface and the other statement would match the access list. This will allow you to bind a specific NAT with a specific interface.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick