Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
3
Helpful
2
Replies

NAT overload and host portion preservation

kevtown
Level 1
Level 1

‎02-20-2003 04:01 PM - edited ‎03-09-2019 02:11 AM

I need help configuring NAT on a Cisco 1710

The two interfaces being utilized are

int FastEthernet0

description connected to primary local area network

ip address 172.16.11.1 255.255.255.0

int Async5

description PPP connection from remote-users and extranet router using DDR (may have any peer address 0.0.0.0 )

ip address unumbered FastEthernet0

Here are the translations I want to occurr

I want all incoming ip packets on interface Async5 that are being routed to 172.16.11.0 subnet to appear as though they are originating from the FastEthernet0 interface.

Note: This looks like it would be accomplished by using NAT overload but I believe that involves marking the FastEthernet0 interface as be ip nat outside which it is not.

I also want any incoming ip packet on interface Async5 with a destination address on subnet 10.33.33.0 to have their destination network address translated to 172.16.11.0 but I want the host portion of the address to remain unchanged

Note: I think this would involve creating a nat pool of type match-host

If someone could give me guidance on how to do this and perhaps even a sample configuration I would really appreciate it.

Thank you

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎02-20-2003 10:10 PM

Haven't tested the following, but give it a go:

int fa0

ip nat outside

int async5

ip nat inside

ip nat inside source list 100 inter fa0 overload

access-list 100 permit ip any 172.16.11.0 0.0.0.255

ip nat inside destination list 110 pool natpool

ip nat pool natpool 172.16.11.0 172.16.11.255 pre 24 type match-host

access-list 110 permit ip any 10.33.33.0 0.0.0.255

As I said, haven't tested it, destination NAT is rarely used but this should get you close to what you want. Do a "sho ip nat trans" after running a few tests to show what you're getting.

kevtown
Level 1
Level 1
In response to gfullage

‎02-24-2003 10:21 AM

Thanks gfullage,

The part of the solution you suggested using NAT overload is basically what I tried. It does work but unfornately it does require that I mark the actual inside port as outside and vice versa which I had hoped to avoid.

For some reason the I was never able to get a hit on access-list for the "match-host" translation you suggested. I have however found an alternate solution using static translations that appears to be working well.

The command is as follows

ip nat outside source static network 172.16.11.0 10.33.33.0 /24

At any rate the needed translations are occurring now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents