Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1638
Views
0
Helpful
3
Replies

NAT Best Practices

prasany@sg.ibm.com
Level 1
Level 1

ā€Ž01-16-2019 07:51 AM - edited ā€Ž03-03-2019 08:58 AM

Hi There,

  I have couple of question related to NAT.

1. I have a requirement to NAT the specific traffic receiving on the interface to be NAT to the interface IP itself. I have simulated this with the below syntax.

!
interface GigabitEthernet1/0
 ip address 10.10.172.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet2/0
 ip address 10.10.128.2 255.255.255.0
 ip nat outside
!
ip nat inside source list DR_ACCESS interface GigabitEthernet1/0 overload
!

As I checked the NAT translations I can achieve expected results. My question is, whether is it ok to perform NAT overload on a NAT inside interface?

 

2. Is the NVI approach is useful in my case? As I understand by using it we doesn't need to identify a NAT interface as either inside/outside interface. Correct me if I'm wrong.

 

Thanks

Labels:
0 Helpful
3 Replies 3

Andrew Khalil
Spotlight
Spotlight

ā€Ž01-16-2019 09:34 AM

Dear prasany@sg.ibm.com,

Greetings,

First, the NAT is translating the inside users IP addresses to the outside interface IP address so that they can be all overloaded using the same IP address!

so I am expecting that the outside interface is the last interface that you can manage, after that, it will not be your network (i.e. ISP network), your question now is to overload on the inside interface, so you mean that you want the outside network to access you network by overloading on your inside network? 

According to the only 2 probabilities, whether you are connected to a known network that you can manage (in this case, you have to configure there your inside as an outside to this network and configure an access list as well as the normal configurations steps that you have already shared in your post!) or you are connected to an unknown network like the ISP and you can not manage (in this case, you can not configure overload on the inside, you can't configure anything as you can not access even, it doesn't make sense!)

 

Regarding the NVI, the difference only, is that you will not identify what is inside or outside, you just use #ip nat enable, instead! but anyway you can't use it (in case of connected to unknown network) because, anyway you will need to configure an ACL, and you don't know the addresses that will be permited! plus you haven't an access to configure the route! 

 

I hope you my reply is helpful enough to answer your questions!

 

If you have any more inquiries, please don't hesitate to ask, I will be so happy to help!

Please, don't forget to RATE any helpful responses and MARK solutions!

Bst Rgds,

Andrew Khalil

0 Helpful

prasany@sg.ibm.com
Level 1
Level 1
In response to Andrew Khalil

ā€Ž01-16-2019 04:55 PM

Hi Andrew,

  Thanks for the reply. Actually I am not using NAT for ISP connectivity, rather I am using it to overcome some duplicate IP segment in-between the local and remote sites. My client requirement is to definitely overload to the NAT inside interface.

 

Thanks 

0 Helpful

prasany@sg.ibm.com
Level 1
Level 1
In response to Andrew Khalil

ā€Ž01-16-2019 04:55 PM

Hi Andrew,

  Thanks for the reply. Actually I am not using NAT for ISP connectivity, rather I am using it to overcome some duplicate IP segment in-between the local and remote sites. My client requirement is to definitely overload to the NAT inside interface.

 

Thanks 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents