NAT problem, only nat traffic against wan interface

3moloz123 · ‎12-30-2010

Got multiple vlans, some of them have internal subnets. I only want to SNAT the traffic from vlans with internal subnets that have destination on wan interface.

vlan580 = 10.10.10.0/24

vlan581 = 1.2.8.0/24

With this, vlan580 cant reach vlan581

access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 172.16.20.0 255.255.255.0

access-list vlan580_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_58 10.10.10.0 255.255.255.0

nat (vlan580) 0 access-list vlan580_nat0_outbound

nat (vlan580) 1 0.0.0.0 0.0.0.0

But, removing the 'nat (vlan580) 1 0.0.0.0 0.0.0.0' makes it work. So how can I exempt vlan581 (and a list of other vlans)?

Jennifer Halim · ‎12-30-2010

Can you please share the security level for both vlan580 and vlan581?

You can configure NAT exemption from high to low security level interface,ie:

assuming that vlan 580 has higher security level than vlan 581, you can add the following access-list:

access-list vlan580_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.2.8.0 255.255.255.0

and acl: vlan580_nat0_outbound has been applied to: nat (vlan580) 0 access-list vlan580_nat0_outbound

However, if vlan 580 has lower security level than vlan 581, then you would need to configure the following (assuming that you don't have any NAT 0 with ACL applied to vlan581 already):

vlan581_nat0 extended permit ip 1.2.8.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (vlan581) 0 access-list vlan581_nat0

If you however have NAT 0 for vlan581, just add to the access-list with the above permit from "1.2.8.0 255.255.255.0" to "10.10.10.0 255.255.255.0"

Hope that helps.