https://community.cisco.com/t5/network-security/nat-problem-only-nat-traffic-against-wan-interface/m-p/1594980#M595674 <P>Got multiple vlans, some of them have internal subnets. I only want to SNAT the traffic from vlans with internal subnets that have destination on wan interface. </P><P></P><P>vlan580 = 10.10.10.0/24</P><P>vlan581 = 1.2.8.0/24</P><P></P><P>With this, vlan580 cant reach vlan581</P><P></P><P>access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 172.16.20.0 255.255.255.0 </P><P>access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 10.10.10.0 255.255.255.0 </P><P>nat (vlan580) 0 access-list vlan580_nat0_outbound</P><P>nat (vlan580) 1 0.0.0.0 0.0.0.0</P><DIV> </DIV><DIV>But, removing the 'nat (vlan580) 1 0.0.0.0 0.0.0.0' makes it work. So how can I exempt vlan581 (and a list of other vlans)?</DIV><P></P> Mon, 11 Mar 2019 19:28:57 GMT 3moloz123 2019-03-11T19:28:57Z https://community.cisco.com/t5/network-security/nat-problem-only-nat-traffic-against-wan-interface/m-p/1594980#M595674 <P>Got multiple vlans, some of them have internal subnets. I only want to SNAT the traffic from vlans with internal subnets that have destination on wan interface. </P><P></P><P>vlan580 = 10.10.10.0/24</P><P>vlan581 = 1.2.8.0/24</P><P></P><P>With this, vlan580 cant reach vlan581</P><P></P><P>access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 172.16.20.0 255.255.255.0 </P><P>access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 10.10.10.0 255.255.255.0 </P><P>nat (vlan580) 0 access-list vlan580_nat0_outbound</P><P>nat (vlan580) 1 0.0.0.0 0.0.0.0</P><DIV> </DIV><DIV>But, removing the 'nat (vlan580) 1 0.0.0.0 0.0.0.0' makes it work. So how can I exempt vlan581 (and a list of other vlans)?</DIV><P></P> Mon, 11 Mar 2019 19:28:57 GMT https://community.cisco.com/t5/network-security/nat-problem-only-nat-traffic-against-wan-interface/m-p/1594980#M595674 3moloz123 2019-03-11T19:28:57Z https://community.cisco.com/t5/network-security/nat-problem-only-nat-traffic-against-wan-interface/m-p/1594981#M595676 <HTML><HEAD></HEAD><BODY><P>Can you please share the security level for both vlan580 and vlan581?</P><P>You can configure NAT exemption from high to low security level interface,ie:</P><P></P><P><SPAN style="text-decoration: underline;">assuming that vlan 580 has higher security level than vlan 581</SPAN>, you can add the following access-list:</P><P></P><P>access-list vlan580_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.2.8.0 255.255.255.0</P><P>and acl: vlan580_nat0_outbound has been applied to: nat (vlan580) 0 access-list vlan580_nat0_outbound</P><P></P><P>However,<SPAN style="text-decoration: underline;"> if vlan 580 has lower security level than vlan 581</SPAN>, then you would need to configure the following (assuming that you don't have any NAT 0 with ACL applied to vlan581 already):</P><P></P><P>vlan581_nat0 extended permit ip 1.2.8.0 255.255.255.0 10.10.10.0 255.255.255.0</P><P>nat (vlan581) 0 access-list vlan581_nat0</P><P></P><P>If you however have NAT 0 for vlan581, just add to the access-list with the above permit from "1.2.8.0 255.255.255.0" to "10.10.10.0 255.255.255.0"</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 30 Dec 2010 22:20:35 GMT https://community.cisco.com/t5/network-security/nat-problem-only-nat-traffic-against-wan-interface/m-p/1594981#M595676 Jennifer Halim 2010-12-30T22:20:35Z