08-13-2007 08:33 AM - edited 03-03-2019 06:18 PM
Hello,
I'm trying to do the following, but can't find the way.
I have to configure a 1721 with one Serial and two ethernets. Serial0 receive internet trafic AND WAN trafic. One ethernet is connected to "internal" LAN and the other to the "unsecure" LAN.
A resumed configuration:
interface Serial0
ip address 172.30.0.41 255.255.255.252
ip nat outside
interface FastEthernet0
description INSIDE LAN
ip address 10.1.0.1 255.255.0.0
interface Ethernet0
description UNSECURE LAN
ip address 172.20.0.1 255.255.0.0
ip nat inside
interface Loopback0
description IP internet connections
ip nat outside
ip address x.x.x.113 255.255.255.240
interface Loopback1
description IP for GRE-TUNNELS
ip address 172.30.0.25 255.255.255.255
interface Tunnel1,2,3...
(.../...)
ip nat inside source list NAT interface Loopback0 overload
ip nat inside source static tcp 172.20.0.21 25 x.x.x.114 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip access-list standard NAT
permit 172.20.0.0 0.0.255.255
Customer need that:
-When 172.20.0.99 connect to internet host Z.Z.Z.1, this connection have NATed as from x.x.x.117
-When internet host Z.Z.Z.1 (but... only this host) connect to x.x.x.117 (all ports, TCP UDP and ICMP) have a NATed route to host 172.20.0.99
-When host goes to any other internet hosts (as web surfing, for example) not be specifically NATed as x.x.x.117, instead would be NATed as a generic host (NATed as x.x.x.113)
I only find to do some-like-this as:
ip nat inside source static 172.20.0.99 x.x.x.117
But then, ALL internet trafic that goes to x.x.x.117 is NATed to 172.20.0.99, and all traffic from 172.20.0.99 is NATed to x.x.x.117. Where to say that this static NAT translation is only for/from Z.Z.Z.1?
I try to apply access-list to Loopback0 but in loopbacks, access-list dont work.
Is there some workaround to do all this?
Thanks in advance!!
08-13-2007 11:39 AM
Hi
What you need is policy NAT ie. you NAT from one address to another not just based on the source IP address but also the destination IP address. You can do this with route-maps in your NAT statements.
Attached is a link to white paper on NAT - there are some examples of using route-maps near the end.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml
HTH
Jon
08-14-2007 07:29 AM
Hello Jon,
Thanks for your fast reply, your idea put me on the road again :-)
I've create a new access-list to be NATed in the "general way"
ip access-list extended NEWNAT
deny ip host 172.20.0.99 host Z.Z.Z.1
permit ip 172.20.0.0 0.0.0.255 any
then, change this:
no ip nat inside source list NAT interface Loopback0 overload
ip nat inside source list NEWNAT interface Loopback0 overload
Now ALL the trafic from host 172.20.0.99 goes to be NATed, but the destination Z.Z.Z.1
To do this, as you say:
access-list 188 permit ip host Z.Z.Z.1 host X.X.X.117
access-list 188 permit ip host 172.20.0.99 host Z.Z.Z.1
route-map SPECIALNAT permit 10
match ip address 188
then:
no ip nat inside source static 172.20.0.99 X.X.X.117
ip nat inside source static 172.20.0.99 X.X.X.117 route-map SPECIALNAT extendab
The packets from 172.20.0.99 to Z.Z.Z.1 are NATd as from X.X.X.117
But ALL trafic to X.X.X.117 is statically NATd to 172.20.0.99 :-(
Well...
interface Serial0
ip access-group BADBOYS in
ip access-list extended BADBOYS
permit ip host Z.Z.Z.1 host X.X.X.117
deny ip any host X.X.X.117
(.../...)
Thanks for your guide,
Jose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide