Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can you NAT between two outside interfaces?

I have a development network that, for political reasons, is a little kludgy.

https://supportforums.cisco.com/servlet/JiveServlet/download/3566096-122820/dev_network_logical.jpg

I've attached a logical layout of the network. WAN traffic from 10.7.0.0 gets NAT'd at 172.23.8.3, then forwarded along to 172.23.8.1 which is our corporate firewall. 172.23.0.0 has 172.23.8.3 as its default gateway, but no NAT occurs.

A couple specific destinations need to get routed out the 192.168.1.0 network, though, because that is our DSL modem. Again, NAT needs to occur because we do not manage the modem. So traffic gets NAT'd at 192.168.1.163, and forwarded along.

This works just fine for the 10.7.0.0 network because 10.7.0.254 is an inside interface. The problem comes when 172.23.0.0 traffic tries to get out that way - since 172.23.8.3 is an outside interface, it will not NAT the traffic that's destined for the 192.168.1.0 network... and 192.168.1.1 has no knowledge of our networks.

Is there a way to force NAT to occur when traffic is received on an outside interface, and is destined for another outside interface?

2 REPLIES
New Member

Re: Can you NAT between two outside interfaces?

As a follow-up, this is exceedingly simple. It's true that NAT is not performed between interfaces on the same side.

I have honestly never done NAT without the inside/outside statements. It turns out, NAT can be performed via the NVI - NAT VIrtual Interface - by using the "ip nat enable" command. That makes the NAT completely defined by the access lists without regard to the interface being inside or outside.

Here is the Cisco documentation on NVI:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

Wish I could mark this as answered but there seems to be no way for me to do so against my own reply.

New Member

Re: Can you NAT between two outside interfaces?

Excellent post.  Another thing you could have done, is to make the 172.23 the inside interface for NAT, than create a loopback interface with the 192.168 address and make it the outside interface.  That has worked for me in the past.  I'll keep the NVI concept in my toolbag for next time.

579
Views
0
Helpful
2
Replies
CreatePlease login to create content