Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
2
Replies

Can you NAT between two outside interfaces?

Stephan Romano
Level 1
Level 1

‎02-20-2012 06:29 AM - edited ‎03-04-2019 03:21 PM

I have a development network that, for political reasons, is a little kludgy.

https://supportforums.cisco.com/servlet/JiveServlet/download/3566096-122820/dev_network_logical.jpg

I've attached a logical layout of the network. WAN traffic from 10.7.0.0 gets NAT'd at 172.23.8.3, then forwarded along to 172.23.8.1 which is our corporate firewall. 172.23.0.0 has 172.23.8.3 as its default gateway, but no NAT occurs.

A couple specific destinations need to get routed out the 192.168.1.0 network, though, because that is our DSL modem. Again, NAT needs to occur because we do not manage the modem. So traffic gets NAT'd at 192.168.1.163, and forwarded along.

This works just fine for the 10.7.0.0 network because 10.7.0.254 is an inside interface. The problem comes when 172.23.0.0 traffic tries to get out that way - since 172.23.8.3 is an outside interface, it will not NAT the traffic that's destined for the 192.168.1.0 network... and 192.168.1.1 has no knowledge of our networks.

Is there a way to force NAT to occur when traffic is received on an outside interface, and is destined for another outside interface?

Labels:
Preview file
41 KB
0 Helpful
2 Replies 2

Stephan Romano
Level 1
Level 1

‎02-24-2012 07:22 AM

As a follow-up, this is exceedingly simple. It's true that NAT is not performed between interfaces on the same side.

I have honestly never done NAT without the inside/outside statements. It turns out, NAT can be performed via the NVI - NAT VIrtual Interface - by using the "ip nat enable" command. That makes the NAT completely defined by the access lists without regard to the interface being inside or outside.

Here is the Cisco documentation on NVI:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

Wish I could mark this as answered but there seems to be no way for me to do so against my own reply.

0 Helpful

ty.masse
Level 1
Level 1
In response to Stephan Romano

‎02-24-2012 08:15 AM

Excellent post.  Another thing you could have done, is to make the 172.23 the inside interface for NAT, than create a loopback interface with the 192.168 address and make it the outside interface.  That has worked for me in the past.  I'll keep the NVI concept in my toolbag for next time.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card