https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496616#M1084779 <P>Hey all,&nbsp; I have 3 interfaces on a Cisco router, one points to LAN (GE0/1), another to DMZ (GE0/2), and the third one to WAN (GE0/0).&nbsp; Both LAN and DMZ ports are configured with IP NAT INSIDE and WAN is configured with IP NAT OUTSIDE. I have dynamic PAT (overload) configured between LAN and WAN AND between DMZ and WAN to translate internal addresses to my global IP.&nbsp;</P><P>If I also want to configure overload between LAN and DMZ so that all packets going from LAN to DMZ have the source address of router's DMZ interface, how can I do that if both ports are configured with IP NAT INSIDE?</P><DIV class="">&nbsp;</DIV><P>Attaching a simple diagram showing what I am trying to achieve.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="diagram.jpg" style="width: 541px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/136395i417FD6C34F48AB41/image-dimensions/541x287?v=v2" width="541" height="287" role="button" title="diagram.jpg" alt="diagram.jpg" /></span></P><P>&nbsp;&nbsp;</P><P>&nbsp;</P> Tue, 02 Nov 2021 15:13:41 GMT Ricky Sandhu 2021-11-02T15:13:41Z https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496616#M1084779 <P>Hey all,&nbsp; I have 3 interfaces on a Cisco router, one points to LAN (GE0/1), another to DMZ (GE0/2), and the third one to WAN (GE0/0).&nbsp; Both LAN and DMZ ports are configured with IP NAT INSIDE and WAN is configured with IP NAT OUTSIDE. I have dynamic PAT (overload) configured between LAN and WAN AND between DMZ and WAN to translate internal addresses to my global IP.&nbsp;</P><P>If I also want to configure overload between LAN and DMZ so that all packets going from LAN to DMZ have the source address of router's DMZ interface, how can I do that if both ports are configured with IP NAT INSIDE?</P><DIV class="">&nbsp;</DIV><P>Attaching a simple diagram showing what I am trying to achieve.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="diagram.jpg" style="width: 541px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/136395i417FD6C34F48AB41/image-dimensions/541x287?v=v2" width="541" height="287" role="button" title="diagram.jpg" alt="diagram.jpg" /></span></P><P>&nbsp;&nbsp;</P><P>&nbsp;</P> Tue, 02 Nov 2021 15:13:41 GMT https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496616#M1084779 Ricky Sandhu 2021-11-02T15:13:41Z https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496626#M1084780 <P>If the LAN and DMZ in same INSIDE, it automtically take where the source IP resides.</P> <P>&nbsp;</P> <P>what is the reason both should be in INSIDE ?</P> <P>&nbsp;</P> <P>do you have sample config to understand what is configured ?</P> <P>&nbsp;</P> Tue, 02 Nov 2021 15:24:38 GMT https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496626#M1084780 balaji.bandi 2021-11-02T15:24:38Z https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496653#M1084781 <P>Hi BB,&nbsp; we have a few webservers in DMZ that all need to be accessible from the Internet.&nbsp; Also our LAN shares the same Internet uplink so I have both configured as NAT INSIDE so I can overload the WAN interface. I've pasted some configuration below.&nbsp; Let me know if you need more.&nbsp; -Thanks!</P><P>&nbsp;</P><P>interface GigabitEthernet0/1.1<BR />encapsulation dot1Q 1 native<BR />ip address 172.18.6.1 255.255.255.0 secondary<BR />ip address 172.18.6.2 255.255.255.0<BR />ip nat inside<BR />no ip virtual-reassembly in<BR />zone-member security IN-ZONE<BR />ip tcp adjust-mss 1360<BR />!<BR />interface GigabitEthernet0/3<BR />description $FW_DMZ$<BR />ip address 10.10.7.1 255.255.255.0<BR />ip flow egress<BR />ip nat inside<BR />no ip virtual-reassembly in<BR />zone-member security DMZ-ZONE<BR />ip tcp adjust-mss 1360<BR />duplex auto<BR />speed auto<BR />no snmp trap link-status<BR />!<BR />interface GigabitEthernet0/2<BR />description WAN-CenturyLink $FW_OUTSIDE$<BR />bandwidth 500000<BR />ip address &lt;removed&gt; 255.255.255.248 secondary<BR />ip address &lt;removed&gt; 255.255.255.248 secondary<BR />ip address &lt;removed&gt; 255.255.255.248 secondary<BR />ip address &lt;removed&gt; 255.255.255.248 secondary<BR />ip address &lt;removed&gt; 255.255.255.248<BR />no ip redirects<BR />no ip unreachables<BR />no ip proxy-arp<BR />ip nat outside<BR />no ip virtual-reassembly in<BR />zone-member security OUT-ZONE<BR />duplex auto<BR />speed auto<BR />no cdp enable<BR />no snmp trap link-status<BR />no mop enabled<BR />!<BR />ip nat inside source static tcp 10.10.7.22 80 &lt;removed&gt; 80 extendable<BR />ip nat inside source static tcp 10.10.7.22 81 &lt;removed&gt; 81 extendable<BR />ip nat inside source static tcp 10.10.7.22 443 &lt;removed&gt; 443 extendable<BR />ip nat inside source static tcp 10.10.7.41 53 &lt;removed&gt; 53 extendable<BR />ip nat inside source static udp 10.10.7.41 53 &lt;removed&gt; 53 extendable<BR />ip nat inside source static tcp 10.10.7.41 3009 &lt;removed&gt; 3009 extendable<BR />ip nat inside source static tcp 10.10.7.42 80 &lt;removed&gt; 80 extendable<BR />ip nat inside source static tcp 10.10.7.42 443 &lt;removed&gt; 443 extendable<BR />ip nat inside source static tcp 10.10.7.15 443 &lt;removed&gt; 443 extendable<BR />!<BR />ip nat inside source route-map primary_nat interface GigabitEthernet0/2 overload<BR />!</P> Tue, 02 Nov 2021 15:51:23 GMT https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496653#M1084781 Ricky Sandhu 2021-11-02T15:51:23Z https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496882#M1084792 <P>I was able to do what I need by using NVI.&nbsp; I enabled NAT on all interfaces by using the command ip nat enable and then simply overloading an interface based on an ACL.</P><P>Eg.&nbsp; Below is an example from my lab on GNS3.&nbsp; All IP addresses are fictious.</P><P>&nbsp;</P><P>interface GigabitEthernet0/0<BR />ip address 66.66.66.3 255.255.255.0 secondary<BR />ip address 66.66.66.2 255.255.255.0<BR />ip nat enable<BR />ip virtual-reassembly in<BR />duplex auto<BR />speed auto<BR />media-type rj45<BR />!<BR />interface GigabitEthernet0/1<BR />ip address 172.18.6.1 255.255.255.0<BR />ip nat enable<BR />ip virtual-reassembly in<BR />duplex auto<BR />speed auto<BR />media-type rj45<BR />!<BR />interface GigabitEthernet0/2<BR />ip address 10.10.7.1 255.255.255.0<BR />ip nat enable<BR />ip virtual-reassembly in<BR />duplex auto<BR />speed auto<BR />media-type rj45<BR />!<BR />ip nat source list ACL-PAT-TO-DMZ interface GigabitEthernet0/2 overload<BR />ip nat source list INTERNET interface GigabitEthernet0/0 overload<BR />ip nat source static 10.10.7.14 66.66.66.3<BR />ip route 0.0.0.0 0.0.0.0 66.66.66.1<BR />!<BR />ip access-list extended ACL-PAT-TO-DMZ<BR />permit ip 172.18.6.0 0.0.0.255 10.10.7.0 0.0.0.255<BR />ip access-list extended INTERNET<BR />permit ip 172.18.6.0 0.0.0.255 any<BR />permit ip 10.10.7.0 0.0.0.255 any</P><P>!</P><P>&nbsp;</P><P>&nbsp;</P><P>Hope this can help someone in future.</P><P>&nbsp;</P> Wed, 03 Nov 2021 01:17:52 GMT https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4496882#M1084792 Ricky Sandhu 2021-11-03T01:17:52Z https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4497011#M1084795 <P>Glad to know you found the solution, thank you for sharing your solution for the community users.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 03 Nov 2021 09:23:19 GMT https://community.cisco.com/t5/network-security/nat-overload-pat-between-two-interfaces-sharing-the-same-nat/m-p/4497011#M1084795 balaji.bandi 2021-11-03T09:23:19Z