Solved: NAT Overload (PAT) between two interfaces sharing the same NAT domain

Ricky Sandhu · ‎11-02-2021

Hey all, I have 3 interfaces on a Cisco router, one points to LAN (GE0/1), another to DMZ (GE0/2), and the third one to WAN (GE0/0). Both LAN and DMZ ports are configured with IP NAT INSIDE and WAN is configured with IP NAT OUTSIDE. I have dynamic PAT (overload) configured between LAN and WAN AND between DMZ and WAN to translate internal addresses to my global IP.

If I also want to configure overload between LAN and DMZ so that all packets going from LAN to DMZ have the source address of router's DMZ interface, how can I do that if both ports are configured with IP NAT INSIDE?

Attaching a simple diagram showing what I am trying to achieve.

Ricky Sandhu · ‎11-02-2021

I was able to do what I need by using NVI. I enabled NAT on all interfaces by using the command ip nat enable and then simply overloading an interface based on an ACL.

Eg. Below is an example from my lab on GNS3. All IP addresses are fictious.

interface GigabitEthernet0/0
ip address 66.66.66.3 255.255.255.0 secondary
ip address 66.66.66.2 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 172.18.6.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.10.7.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
ip nat source list ACL-PAT-TO-DMZ interface GigabitEthernet0/2 overload
ip nat source list INTERNET interface GigabitEthernet0/0 overload
ip nat source static 10.10.7.14 66.66.66.3
ip route 0.0.0.0 0.0.0.0 66.66.66.1
!
ip access-list extended ACL-PAT-TO-DMZ
permit ip 172.18.6.0 0.0.0.255 10.10.7.0 0.0.0.255
ip access-list extended INTERNET
permit ip 172.18.6.0 0.0.0.255 any
permit ip 10.10.7.0 0.0.0.255 any

!

Hope this can help someone in future.

View solution in original post

balaji.bandi · ‎11-02-2021

If the LAN and DMZ in same INSIDE, it automtically take where the source IP resides.

what is the reason both should be in INSIDE ?

do you have sample config to understand what is configured ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ricky Sandhu · ‎11-02-2021

Hi BB, we have a few webservers in DMZ that all need to be accessible from the Internet. Also our LAN shares the same Internet uplink so I have both configured as NAT INSIDE so I can overload the WAN interface. I've pasted some configuration below. Let me know if you need more. -Thanks!

interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 172.18.6.1 255.255.255.0 secondary
ip address 172.18.6.2 255.255.255.0
ip nat inside
no ip virtual-reassembly in
zone-member security IN-ZONE
ip tcp adjust-mss 1360
!
interface GigabitEthernet0/3
description $FW_DMZ$
ip address 10.10.7.1 255.255.255.0
ip flow egress
ip nat inside
no ip virtual-reassembly in
zone-member security DMZ-ZONE
ip tcp adjust-mss 1360
duplex auto
speed auto
no snmp trap link-status
!
interface GigabitEthernet0/2
description WAN-CenturyLink $FW_OUTSIDE$
bandwidth 500000
ip address <removed> 255.255.255.248 secondary
ip address <removed> 255.255.255.248 secondary
ip address <removed> 255.255.255.248 secondary
ip address <removed> 255.255.255.248 secondary
ip address <removed> 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
zone-member security OUT-ZONE
duplex auto
speed auto
no cdp enable
no snmp trap link-status
no mop enabled
!
ip nat inside source static tcp 10.10.7.22 80 <removed> 80 extendable
ip nat inside source static tcp 10.10.7.22 81 <removed> 81 extendable
ip nat inside source static tcp 10.10.7.22 443 <removed> 443 extendable
ip nat inside source static tcp 10.10.7.41 53 <removed> 53 extendable
ip nat inside source static udp 10.10.7.41 53 <removed> 53 extendable
ip nat inside source static tcp 10.10.7.41 3009 <removed> 3009 extendable
ip nat inside source static tcp 10.10.7.42 80 <removed> 80 extendable
ip nat inside source static tcp 10.10.7.42 443 <removed> 443 extendable
ip nat inside source static tcp 10.10.7.15 443 <removed> 443 extendable
!
ip nat inside source route-map primary_nat interface GigabitEthernet0/2 overload
!

Ricky Sandhu · ‎11-02-2021

I was able to do what I need by using NVI. I enabled NAT on all interfaces by using the command ip nat enable and then simply overloading an interface based on an ACL.

Eg. Below is an example from my lab on GNS3. All IP addresses are fictious.

interface GigabitEthernet0/0
ip address 66.66.66.3 255.255.255.0 secondary
ip address 66.66.66.2 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 172.18.6.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.10.7.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
ip nat source list ACL-PAT-TO-DMZ interface GigabitEthernet0/2 overload
ip nat source list INTERNET interface GigabitEthernet0/0 overload
ip nat source static 10.10.7.14 66.66.66.3
ip route 0.0.0.0 0.0.0.0 66.66.66.1
!
ip access-list extended ACL-PAT-TO-DMZ
permit ip 172.18.6.0 0.0.0.255 10.10.7.0 0.0.0.255
ip access-list extended INTERNET
permit ip 172.18.6.0 0.0.0.255 any
permit ip 10.10.7.0 0.0.0.255 any

!

Hope this can help someone in future.

balaji.bandi · ‎11-03-2021

Glad to know you found the solution, thank you for sharing your solution for the community users.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help