topic Re: Getting warning IP nat pool too small in Routing and SD-WAN

Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 05:34:57 GMT

I want to NAT single inside IP to multiple outbound IP's based up on the destination subnet. For example :

My appserver should be natted to 10.10.1.10 for packets tx/rx toward customer1
My appserver should be natted to 10.10.2.10 for packets tx/rx toward customer2
My appserver should be natted to 10.10.3.10 for packets tx/rx toward customer3.

I have a router Cisco1921 with Gi0/1 configured with

 ip 192.168.1.1

I have an app server with IP address 192.168.1.10 and gateway 192.168.1.1
I have three customers connected to us using three private point to point circuits.
All the three circuits are connected to my layer 2 Ethernet switch C2960.
On Ethernet switch customer1 is in VLAN 10, customer 2 is in VLAN 20 and customer3 is on VLAN 30.
Cisco router 1921 Gi0/0 has three sub interfaces, one for each customer.I was thinking that I wll create three

ACL

and

NAT POOL

for each customer and use the

ACL

to assign the
seperate pool for each customer. I hit a road block,

ip NAT pool

gives me a warning when I try to create a pool with single ip it is asking for atleast netmask .252 and giving the following warning

Pool NAT-POOL-CUST3 mask 255.255.255.255 too small; should be at least 255.255.255.252

How can I NAT my single inside IP to multiple outbound IP's based upon the destination subnet?

!
interface GigabitEthernet0/1
description LOCAL INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description CUSTOMER1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description CUSTOMER2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
description CUSTOMER3
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
ip route 172.16.101.0 255.255.255.0 172.16.10.2
ip route 172.16.102.0 255.255.255.0 172.16.20.2
ip route 172.16.103.0 255.255.255.0 172.16.30.2
!

ip access-list extended ACL-NAT-CUST1
permit ip host 192.168.1.10 172.16.101.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST2
permit ip host 192.168.1.10 172.16.102.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST3
permit ip host 192.168.1.10 172.16.103.0 0.0.0.255
!

!
ip nat pool NAT-POOL-CUST1 10.10.1.10 10.10.1.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST2 10.10.2.10 10.10.2.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST3 10.10.3.10 10.10.3.10 netmask 255.255.255.255
##I get the warning got the above three commands##

If I get past the warning then I was planning to use the following:
!
ip nat outside source list ACL-CUST1 pool NAT-POOL-CUST1 add-route
ip nat outside source list ACL-CUST2 pool NAT-POOL-CUST2 add-route
ip nat outside source list ACL-CUST3 pool NAT-POOL-CUST3 add-route
!

Re: Getting warning IP nat pool too small

Mark Elsen — Thu, 08 Jun 2023 06:03:00 GMT

The warning you are receiving is because the subnet mask you specified for the

NAT pool

is too small. In order to

NAT

your single inside IP to multiple outbound IPs based on the destination subnet, you need to make a few adjustments to your configuration. First, you need to modify the subnet masks of your subinterfaces on the router to accommodate larger subnets. Change the subnet masks from /30 to /29 or larger. For example:

interface GigabitEthernet0/0.10
description CUSTOMER1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description CUSTOMER2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
description CUSTOMER3
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.248
ip nat outside
ip virtual-reassembly in

Next, modify your ACLs to match the correct destination subnets for each customer:

ip access-list extended ACL-NAT-CUST1
permit ip host 192.168.1.10 172.16.10.0 0.0.0.7
!
ip access-list extended ACL-NAT-CUST2
permit ip host 192.168.1.10 172.16.20.0 0.0.0.7
!
ip access-list extended ACL-NAT-CUST3
permit ip host 192.168.1.10 172.16.30.0 0.0.0.7

Finally, update your NAT pool configuration to use the correct subnet masks:

ip nat pool NAT-POOL-CUST1 10.10.1.10 10.10.1.10 netmask 255.255.255.248
ip nat pool NAT-POOL-CUST2 10.10.2.10 10.10.2.10 netmask 255.255.255.248
ip nat pool NAT-POOL-CUST3 10.10.3.10 10.10.3.10 netmask 255.255.255.248

With these modifications, you should be able to

NAT

your single inside IP to multiple outbound IPs based on the destination subnets for each customer.

M.

Re: Getting warning IP nat pool too small

KhanAkhtar — Thu, 08 Jun 2023 06:16:43 GMT

The warning you're encountering is due to the fact that you're specifying a single IP address as the

NAT pool

, which requires a

netmask of at least /30 (255.255.255.252)

. However, since you want to map a single inside IP to multiple outbound IPs based on the destination subnet, you need to use a different approach.

Instead of using traditional

NAT pools

, you can achieve your desired

NAT

behavior using Policy-Based NAT (PBR) and route-maps. Here's an example configuration that should work for your scenario:

ip access-list extended ACL-NAT-CUST1
permit ip host 192.168.1.10 172.16.101.0 0.0.0.255

ip access-list extended ACL-NAT-CUST2
permit ip host 192.168.1.10 172.16.102.0 0.0.0.255

ip access-list extended ACL-NAT-CUST3
permit ip host 192.168.1.10 172.16.103.0 0.0.0.255

route-map RM-NAT-CUST1 permit 10
match ip address ACL-NAT-CUST1
set ip next-hop 10.10.1.10

route-map RM-NAT-CUST2 permit 10
match ip address ACL-NAT-CUST2
set ip next-hop 10.10.2.10

route-map RM-NAT-CUST3 permit 10
match ip address ACL-NAT-CUST3
set ip next-hop 10.10.3.10

interface GigabitEthernet0/0.10
ip policy route-map RM-NAT-CUST1

interface GigabitEthernet0/0.20
ip policy route-map RM-NAT-CUST2

interface GigabitEthernet0/0.30
ip policy route-map RM-NAT-CUST3

In this configuration, we're using PBR to match the source traffic based on the corresponding access list for each customer. Then, we set the next-hop IP address to the appropriate outbound IP for

NAT.

Make sure to remove the previous

NAT pool

configurations and the

ip nat outside source

commands you mentioned earlier.

Note that this configuration assumes that the outbound IP addresses (10.10.1.10, 10.10.2.10, 10.10.3.10) are already configured on the router and reachable. Also, ensure that the necessary routing is in place for the next-hop addresses.

Remember to test the configuration thoroughly to ensure it meets your requirements and functions as expected in your specific network environment.

Re: Getting warning IP nat pool too small

S Kumar — Tue, 16 May 2023 20:31:27 GMT

Hi Mr. Khan,

Appreciare your response. Your answer does not fit my requirements but it is good to know about this possibility in case If I need this in future.

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:05:04 GMT

Hi Mark, thanks fir your time and assistance.

I can not change the

netmask

for the WAN interfaces because it also requires the change to be made at far end.
I only need one IP address in the pool per customer. What is the significance

netmask

in the pool?

What will be the impact if I change the

netmask

to .252 ? This way the warning goes away and I still have one IP address per pool.

ip nat pool NAT-POOL-CUST1 10.10.1.10 10.10.1.10 netmask 255.255.255.252
ip nat pool NAT-POOL-CUST2 10.10.2.10 10.10.2.10 netmask 255.255.255.252
ip nat pool NAT-POOL-CUST3 10.10.3.10 10.10.3.10 netmask 255.255.255.252

Using this solution, can the traffic originate from outside to inside?

Re: Getting warning IP nat pool too small

Rich R — Wed, 17 May 2023 14:59:51 GMT

Agreed - that will route the packets but not NAT them.
To NAT them you use NAT with route-maps. Use static NAT with route-map - each static NAT will then only match the desired traffic and do 1to1 translation on the IP.
Take a look at this example: https://www.ciscozine.com/using-route-maps-for-conditional-nat/

FYI: in your config the ACL names don't match the names of ACLs used with NAT.

Re: Getting warning IP nat pool too small

MHM Cisco World — Wed, 17 May 2023 17:02:39 GMT

sorry dont get what you want here,
there are three VLAN and you need static NAT for these VLAN subnet ?
can you more elaborate ?

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:18:24 GMT

Rich,

Appreciate your help, this is exactly what I was looking for. I had done a slightly different implementation. I had used route-maps with loop back interfaces instead of

nat pools:

!
interface Loopback1
description USED-FOR-NAT-INTERFACE-CUST1
ip address 10.10.1.10 255.255.255.255
!
interface Loopback2
description USED-FOR-NAT-INTERFACE-CUST2
ip address 10.10.2.10 255.255.255.255
!
interface Loopback3
description USED-FOR-NAT-INTERFACE-CUST3
ip address 10.10.3.10 255.255.255.255
!

!
route-map RM-CUST1 permit 10
match ip address ACL-NAT-CUST1
!
route-map RM-CUST2 permit 10
match ip address ACL-NAT-CUST2
!
route-map RM-CUST3 permit 10
match ip address ACL-NAT-CUST3
!
ip nat inside source route-map RM-CUST1 interface Loopback1 overload reversible
ip nat inside source route-map RM-CUST2 interface Loopback2 overload reversible
ip nat inside source route-map RM-CUST3 interface Loopback3 overload reversible
!

Re: Getting warning IP nat pool too small

S Kumar — Wed, 17 May 2023 20:56:57 GMT

MHM,

My requirement was as explained in this article.https://www.ciscozine.com/using-route-maps-for-conditional-nat/

Appreciate your time.

Re: Getting warning IP nat pool too small

MHM Cisco World — Thu, 08 Jun 2023 06:19:31 GMT

I Dont get it' if you direct traffic to lo1 then you dont need any route-map'

This conditional

NAT

for

multi ISP.

Here I dont see any reason you use it.

Re: Getting warning IP nat pool too small

MHM Cisco World — Thu, 08 Jun 2023 06:26:50 GMT

friend I know exactly what it conditional

NATing


interface Loopback1
description USED-FOR-NAT-INTERFACE-CUST1
ip address 10.10.1.10 255.255.255.255

route-map RM-CUST1 permit 10
match ip address ACL-NAT-CUST1

ip nat

inside source route-map RM-CUST1 interface Loopback1 overload reversible

from OUTside ping to INside using the LO1, here what is idea of using the route-map

route-map using to match egress interface for

multi ISP

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:31:32 GMT

MHM,

I have no doubt on your expertise. In fact, I have a great respect for you because I have benefited from your responses to various posts.
This article explains the different between access-list vs route-map and decided to use route-map based on this article. Even though it was written for ISO 12.x and we are on 15.x and I assume it still applies.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html

Three customer sites privately connected to us and wants to use the services hosted on the same server. Because of various reasons (security, overlapping subnets etc...) each customer want us to use customer provided IP address on our server. Instead of configuring multiple IP's on our server, we decided to do the policy

NAT

as you referred as

conditional NAT

.

While I have your attention, I would appreciate your help with following:
What would you recommend, using the loopback interface as I explained above or using the static

natting

as explained in ciscozone above article.
Natting should be work in both directions, server can also initiate a request going towards customers and customer can also initiate request coming in into server.
How many

natting

translations can be supported by this method?

Re: Getting warning IP nat pool too small

Rich R — Thu, 08 Jun 2023 06:35:05 GMT

Whichever way works best for you - if they both work then it's a matter of preference. Some of the

NAT

features (like DNS ALG) can behave differently depending on how it's configured but if you're not relying on any of those then probably doesn't matter.

How many translations? That will depend on platform, IOS version and memory. If it's a hardware based switching platform (like ASR1K for example) then it will depend on TCAM in the FP. Basically check the specs for what you're using and test. Realistically, unless you're planning to have millions of translations you'll probably be ok.

Re: Getting warning IP nat pool too small

MHM Cisco World — Thu, 18 May 2023 00:08:56 GMT

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:36:20 GMT

Guys,

Appreciate all the help. One more question. I also have to apply the crypto map to the outside interface lets say gi0/0.10. The crypto map ACL should include the pre-

NATsource IP or post-NAT source IP?

Re: Getting warning IP nat pool too small

MHM Cisco World — Thu, 08 Jun 2023 06:41:30 GMT

VPN traffic must not

NATing

VPN must override

NAT

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:43:16 GMT

Could you please elaborate? What are my options if I have to use

NAT

with IPSEC?
I have done

natting

on vpn traffic various times, my experience is more on

ASA

. This is the first time, I have to deal with this stuff on a router.

Re: Getting warning IP nat pool too small

MHM Cisco World — Fri, 19 May 2023 17:52:20 GMT

good luck

Re: Getting warning IP nat pool too small

Rich R — Fri, 19 May 2023 17:33:54 GMT

I think it should work. Depends on inside/outside direction but assuming it's inside -> outside then the crypto map ACL should match the IP after NAT I believe. But as always - test to confirm.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

ps. also never had trouble with sending NATed packets up VPN.

Re: Getting warning IP nat pool too small

S Kumar — Thu, 08 Jun 2023 06:43:55 GMT

Rich,

Appreciate your response, I had already gone through the article you posted but I could not comprehend it. I changed the access list to post-

NAT IP

in my lab setup and it worked.