Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT with Two Different WAN connections

I have a 3640 router that has 1 inside interface and 2 outside WAN interfaces. One outside goes to the internet and the other to a private government intranet. My problem is I need to use NAT to convert my internal private range to the appropriate outside range dependent on the destination. Up to this point I have only been able to get one or the other destination to work not both at the same time. The applicable sections of my config are:

!

interface FastEthernet1/0

ip address 128.2.6.95 255.255.0.0

ip nat inside

speed auto

half-duplex

!

interface Serial1/0

description UPD to Adelphia Internet T1 service

ip address 64.9.112.142 255.255.255.252

ip nat outside

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-4

!

interface Serial1/1.16 point-to-point

description UPD to DCJS

ip address 159.181.41.42 255.255.255.252

ip nat outside

frame-relay interface-dlci 16

!

ip nat pool adelphiapool 64.9.116.9 64.9.116.10 netmask 255.255.255.252

ip nat pool dcjspool 10.87.200.2 10.87.200.14 prefix-length 24

ip nat inside source route-map adelphiamap pool adelphiapool

ip nat inside source route-map dcjsmap pool dcjspool

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip route 159.181.0.0 255.255.0.0 Serial1/1.16 159.181.41.41

no ip http server

!

access-list 1 permit 128.2.6.0 0.0.0.255

access-list 100 deny ip 128.2.6.0 0.0.0.255 159.181.0.0 0.0.255.255

access-list 102 permit ip 128.2.6.0 0.0.0.255 159.181.0.0 0.0.255.255

!

route-map adelphiamap permit 10

match ip address 100 1

!

route-map dcjsmap permit 10

match ip address 102

set ip next-hop 159.181.41.41

Any help is greatly appreciated.

1 REPLY

Re: NAT with Two Different WAN connections

You should modify the route-maps and acls as follows.

there is no need for access-list 1.

accesslist 100 can be modified as,

access-list 100 deny ip 128.2.6.0 0.0.0.255 159.181.0.0 0.0.255.255

access-list 100 permit ip 128.2.6.0 0.0.0.255 any

Traffic in your network can be classified into two. One going out to internet, and other going out to corporate (govt) network.). The one going from your lan, to corporate intranet is denied by acl 100(not matched) while the remaining (that is internet traffic) is permitted (matched) by acl 100.

Now going to acl 102, you can leave it like what you have defined.

Now , talking abt route-map statements.

route-map adelphia permit 10

match ip add 100

and

route-map dcjsmap permit 10

match ip add 102

Now, when packets go from inside to outside, NAT is done first, and then comes Routing table lookup to route the packet. So, you dont need to set next-hop in the dcjsmap. Even if you give this wont work, as policy routing is not configured with this route-map on Fa0/0. SO you can safely remove the statement.

78
Views
4
Helpful
1
Replies