Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP NAT outside and inside in the same interface

Hello,

I have a problem I haven't had previously. I have a router with 3 interfaces:

interface 1

Public addressing

ip nat outside

(default gateway interface)

interface 2

Private addressing

ip nat inside

interface 3

one public address

one private address

ip nat inside and outside????

I have difficulties to understand Cisco IP NAT when there are more than 2 interfaces (one with ip nat inside and another with ip nat outside)... In this case, how can configure interface 3?

* The private addresses needs to be NATed when it goes to internet (interface 1) but this network should be reacheable from interface 2 without natting.

* The public address should be routed (without NAT) to internet (through interface 1) and shouldn't access interface 2.

How would you solve this?  Thanks,

Christian

Everyone's tags (1)
4 REPLIES
New Member

Re: IP NAT outside and inside in the same interface

Hi Christan,

Here's one possible solution:

Configure I/Face 3 as "nat inside"

!

interface 3

ip nat inside

!

Then for your 1 x private address device, use the "ip nat inside source" cmd in conjuction with an access list & nat pool to ONLY NAT traffic to the internet -

i.e

If the traffic is to the internet, the ACL will match /permit it and the traffic is therefore NATed

On the other hand, if the traffic is to interface 2, then the ACL should not match /deny and the traffic will not be NATed.

!

ip nat pool letmeout 10.10.10.1 10.10.10.1 prefix 24

!

ip nat inside source list 101 pool letmeout

!

access-list 101 permit ip < Internet destination(s)>

!

You can finetune the ACL to your requirements.

Similarly you can use an interface ACL to block the public IP host device from accessing i/face 2.

Hope this helps!

Cheers

Drew

BTW -

Just curious as to why  the single private host on interface 3 was not located on interface 2? (probably a long story!)

New Member

IP NAT outside and inside in the same interface

Thank you Andrew, really good contribution. I have private and public addresses in the same VLAN because of some restrictions of a third-vendor network equipment. There is no other solution :-(.

So with this solution I would have 2 inside interfaces and only 1 outside interface. When is checked the access-list 101? only when there is traffic between a inside interface and one outside interface? Because in that case I could only use a basic access-list """access-list 1 permit ip """... But if the ACL is checked also in traffic between one inside interface and another inside interface I would have to use the extended access-list....

One additional question... When a packet is checked againts the ACL 101 if the packet doesn't satisfay the ACL the packet is routed without natting or is directly discarded??

Thanks again.

Christian

New Member

IP NAT outside and inside in the same interface

Hi Christian,

Yes you will have two inside NAT + one outside interfaces.

Here's a Cisco NAT reference stating examples with more than one inside interface:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

You can use either a basic or extended ACL - really depends on your NATing requirements and how granular for the ACL to "match".

As the ACL is only associated with the "ip nat source inside" cmd ie NAT related only, it won't be used for non-NAT routing. The ACL is purely used as a NATing test criteria - if a packet is match then NAT it, if not then the router with handle it as a non-NAT packet - the ACL implied "deny" in this case stops it from being NATed, not dropped.

Cheers

Drew

New Member

IP NAT outside and inside in the same interface

Ok All clear now. Thank you again Andrew.

Regards,

Christian

5641
Views
9
Helpful
4
Replies