03-24-2011 09:57 AM - edited 03-11-2019 01:12 PM
can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination. I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100. I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y. hmmmm.
Solved! Go to Solution.
04-01-2011 04:35 AM
msch00ley wrote:
didnt work, the 1st one did, the access-list was matched for both, but wouldnt put a translation for same inside local to different outside local
did a clear translations and it pinged using 2nd destination, but then 1st destination wouldnt work.
Okay, i labbed it up using dynamips with 12.4(21a) and it worked fine in my lab. I basically had this setup -
R1 connected to R2.
R2 connected to R3 and R4.
on R3 loopback address of 10.10.10.1
on R4 loopback address of 11.11.11.1
R1 source address was 192.168.5.1
config on R2
access-list 101 permit ip host 192.168.5.1 host 10.10.10.1
access-list 102 permit ip host 192.168.5.1 host 11.11.11.1
route-map PNAT1 permit 10
match ip address 101
route-map PNAT2 permit 10
match ip address 102
ip nat inside source static 192.168.5.1 192.168.22.1 route-map PNAT1
ip nat inside source static 192.168.5.1 192.168.23.1 route-map PNAT2
i then used ping and telnet to connect from R1 to R3 & R4 and the ip nat translation table on R2 looked like this -
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.22.1:42312 192.168.5.1:42312 10.10.10.1:23 10.10.10.1:23
tcp 192.168.23.1:47667 192.168.5.1:47667 11.11.11.1:23 11.11.11.1:23
--- 192.168.22.1 192.168.5.1 --- ---
--- 192.168.23.1 192.168.5.1 --- ---
i also did debugs on R3 & R4 to check the source IP of the packet and it was as expected.
So not sure why yours isn't working. What IOS are you running ? What is your topology like ?
Jon
03-25-2011 05:47 AM
msch00ley wrote:
can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination. I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100. I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y. hmmmm.
Mike
access-list pnat1 permit ip host 10.10.10.100 host 20.20.20.100
access-list pnat2 permit ip host 10.10.10..100 host 30.30.30.100
static (inside,outside) 10.20.20.100 access-list pnat1
static (inside,outside) 10.30.30.100 access-list pnat2
Jon
03-25-2011 06:51 AM
that looks like asa nat statement, not router????
03-25-2011 09:02 AM
msch00ley wrote:
can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination. I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100. I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y. hmmmm.
Mike
Good point, it is for an ASA, sorry -
access-list 101 permit ip host 10.10.10.100 host 20.20.20.100
access-list 102 permit ip host 10.10.10.100 host 30.30.30.100
route-map PNAT1 permit 10
match ip address 101
route-map PNAT2 permit 10
match ip address 102
ip nat inside source static 10.10.10.100 10.20.20.100 route-map PNAT1
ip nat inside source static 10.10.10.100 10.30.30.100 route-map PNAT2
Note that support for using route-maps with static translations was added with 12.4(T) so if your IOS is earlier than that then you would need to use IP nat pools eg.
ip nat pool PNAT1 10.20.20.100 10.20.20.100 prefix-length 30
ip nat pool PNAT2 10.30.30.100 10.30.30.100 prefix-lenght 30
same access-lists and route-maps as above
ip nat inside source route-map PNAT1 pool PNAT1
ip nat inside source route-map PNAT2 pool PNAT2
Jon
03-31-2011 12:32 PM
didnt work, the 1st one did, the access-list was matched for both, but wouldnt put a translation for same inside local to different outside local
did a clear translations and it pinged using 2nd destination, but then 1st destination wouldnt work.
04-01-2011 04:35 AM
msch00ley wrote:
didnt work, the 1st one did, the access-list was matched for both, but wouldnt put a translation for same inside local to different outside local
did a clear translations and it pinged using 2nd destination, but then 1st destination wouldnt work.
Okay, i labbed it up using dynamips with 12.4(21a) and it worked fine in my lab. I basically had this setup -
R1 connected to R2.
R2 connected to R3 and R4.
on R3 loopback address of 10.10.10.1
on R4 loopback address of 11.11.11.1
R1 source address was 192.168.5.1
config on R2
access-list 101 permit ip host 192.168.5.1 host 10.10.10.1
access-list 102 permit ip host 192.168.5.1 host 11.11.11.1
route-map PNAT1 permit 10
match ip address 101
route-map PNAT2 permit 10
match ip address 102
ip nat inside source static 192.168.5.1 192.168.22.1 route-map PNAT1
ip nat inside source static 192.168.5.1 192.168.23.1 route-map PNAT2
i then used ping and telnet to connect from R1 to R3 & R4 and the ip nat translation table on R2 looked like this -
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.22.1:42312 192.168.5.1:42312 10.10.10.1:23 10.10.10.1:23
tcp 192.168.23.1:47667 192.168.5.1:47667 11.11.11.1:23 11.11.11.1:23
--- 192.168.22.1 192.168.5.1 --- ---
--- 192.168.23.1 192.168.5.1 --- ---
i also did debugs on R3 & R4 to check the source IP of the packet and it was as expected.
So not sure why yours isn't working. What IOS are you running ? What is your topology like ?
Jon
04-01-2011 05:43 AM
you are correct, but you
have to use route-maps, using just list doesnt work per
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
04-01-2011 06:25 AM
msch00ley wrote:
you are correct, but you
have to use route-maps, using just list doesnt work per
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Mike
Sorry, you have lost me there. My original example did use route-maps ?
Thanks for rating.
Jon
04-01-2011 06:41 AM
yes your original example did you route maps, I was just noting that it wont work with lists and pro
viding the documentation of why.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide