Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip nat source static versus ip nat source static network

Hi,

using NAT with NVI, the following statement:

ip nat source static 192.168.255.2 10.0.2.2 vrf kk-C1 extendable

enables communication with the internal host 192.168.255.2 using external

IP address 10.0.2.2. The destination address 10.0.2.2 gets translated to

192.168.255.2. In the opposite direction, the traffic from 192.168.255.2

coming out to the external network is subject to translation of the source

address 192.168.255.2 to 10.0.2.2. What is important, this works in both

directions without any problem.

The following statement:

ip nat source static network 192.168.255.2 10.0.2.2 /32 vrf kk-C1 extendable

does the same thing, because it translates to the same statement as the

previous one.

However, the following statement:

ip nat source static network 192.168.255.2 10.0.2.2 /31 vrf kk-C1 extendable

as well as the following one:

ip nat source static network 192.168.255.0 10.0.2.0 /24 vrf kk-C1 extendable

behave differently.

The traffic from 192.168.255.2 coming out to the external network is OK (NAT

works in exactly the same manner as described previously). However, the

traffic coming from external network to 10.0.2.2 won't get through UNTIL

at least one packet comes in the opposite direction...

Is this a bug or feature?

I would not call this a cool feature...

I would very appreciate any suggestions on how to configure this kind of NAT

for a bunch of internal hosts (actually, hundreds of them) without the need to

configure hundreds of ip nat statements (one for every pair of IP addresses).

Any ideas?

Regards,

Rosta

2 REPLIES

Re: ip nat source static versus ip nat source static network

Rosta,

You can configure nat pool, like the one noted below, to assign a global address from that pool for all your inside users. But, you would have no control over what global address the inside users get. If you are trying to access an inside user from outside then you can combine the one-to-one static NAT and the NAT pool for this work. If you combine them the exclude the one-to-one NATted address from the NAT pool address range.

ip nat inside source list 10 pool TEST vrf kk-C1

ip nat pool TEST 10.0.2.1 10.0.2.254 prefix-length 24

access-list 10 permit 192.168.255.0

HTH

Sundar

New Member

Re: ip nat source static versus ip nat source static network

Sundar,

thanks for the advice. In fact, I need the NAT for management purposes

(I need to manage devices in possibly overlapping user networks, so the

first step is to "normalize" all the addresses to a common private

address range). So, I need to have the control over what global address

the inside devices get.

I really don't want to use hundreds of one-to-one static NAT entries.

Perhaps the "NAT Routemaps Outside-to-Inside Support" feature could be the

solution:

http://tinyurl.com/yxru9t

However I didn't find a way how to configure reversible NAT together with

VRF.

Anyway, thanks for your prompt reply.

Regards,

Rosta

508
Views
0
Helpful
2
Replies
CreatePlease to create content