Solved: Re: About Router NAT Configuration Consultation

haininghuang3185 · ‎09-05-2024

I have a C1111 router and I configured the following static NAT.

ip nat inside source static 192.168.2.190 172.25.139.241

ip nat inside source static 192.168.2.191 172.25.139.242

ip nat inside source static network 192.168.2.0 192.168.61.0 /24

I would like to know whether the third static NAT configuration will conflict with the previous two static NAT configurations?

What I want to achieve is that 192.168.2.100 and 192.168.2.101 are NATed to 172.25.139.241 and 172.25.139.242 respectively, and the other addresses of 192.168.2.0/24 are NATed to 192.168.61.0/24

paul driver · ‎09-05-2024

Hello

@haininghuang3185 wrote:
Then I need to add the above configuration:

ip nat inside source static network 192.168.2.0 192.168.61.0 /24

I am not sure whether the newly added commands will conflict with the original NAT configuration.

No it WILL not conflict, you will be fine adding this, it will just create an additional permanent static mapping in the translation table along with the other two static mappings prior to any translation.
example::
Inside global Inside local
192.168.2.190 172.25.139.241
192.168.2.191 172.25.139.242
192.168.2.0 192.168.61.0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎09-05-2024

Friend the router seach NAT for same ingress and egress for host 192.168.2.190 (example) one by one

First it will match NAT

192.168.2.190 172.25.139.241

So it will not continue to match other NAT

192.168.2.0 192.168.61.0

that make 2.190 and 2.191 never NATing to 192.168.61.x

And it worse if he add

Ip nat inside source static network

Above all other NAT.

So we need to find away to solve this conflict.

The idea I have is he use route-map for first two static NAT' where if source is 2.190/2.191 and destiantion is specfic then he will use these NAT

If not the router will match last NAT

MHM

View solution in original post

paul driver · ‎09-05-2024

@haininghuang3185
Just to clarify once more , you will be okay to add that additional static network statement you do not require any route-map statement.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎09-05-2024

There is no such this command

ip nat inside source static network 192.168.2.0 192.168.61.0 /24

What try to do here?

MHM

haininghuang3185 · ‎09-05-2024

There is such a command, which I can configure on the C1111 router. Now I need to add a command, which is ip nat inside source static network 192.168.2.0 192.168.61.0 /24, but I am not sure whether this command will affect my original two commands
ip nat inside source static 192.168.2.190 172.25.139.241
ip nat inside source static 192.168.2.191 172.25.139.242

MHM Cisco World · ‎09-05-2024

Friends there is

One to one

One to many (using pool)

But there is No

Many to many

MHM

haininghuang3185 · ‎09-05-2024

Hello friend,

this command is also one-to-one NAT, which is to implement one-to-one NAT of the entire address segment, 192.168.2.0/24 NAT 192.168.61.0/24

You can look at this post

https://community.cisco.com/t5/routing/static-nat-for-a-complete-subnet/m-p/1297182#M122385

MHM Cisco World · ‎09-05-2024

First time I see such this command,

But you are correct

It one to one if both real and mapped IP use same prefix

And there is no conflict since the real and mapped IP not use in other NAT

MHM

paul driver · ‎09-05-2024

Hello

@MHM Cisco World
But there is No

Many to many
MHM

incorrect yes there is such a feature that can be used like - ip nat inside source static network 192.168.2.0 192.168.61.0 /24

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-05-2024

Sorry but why the original post show

192.168.2.0 and screenshot 192.168.100.0?

If it 192.168.100.0 this command not conflict

If it 192.168.2.0 then there is conflicts

MHM

haininghuang3185 · ‎09-05-2024

I currently need to add a command to the original configuration
ip nat inside source static network 192.168.2.0 192.168.61.0 /24

MHM Cisco World · ‎09-05-2024

Are the ingress and egress of both NAT same?

İf not then there is no issue if same then there is conflict.

MHM

haininghuang3185 · ‎09-05-2024

The equipment configuration is as follows:

interface GigabitEthernet0/1/0
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/2
switchport access vlan 101
switchport mode access
!
interface Vlan10
ip address 10.1.32.98 255.255.255.252
ip nat outside
!
interface Vlan101
ip address 192.168.0.6 255.255.255.248
ip nat inside
!
ip nat inside source static 192.168.2.190 172.25.139.241
ip nat inside source static 192.168.2.191 172.25.139.242
！

Then I need to add the above configuration:

ip nat inside source static network 192.168.2.0 192.168.61.0 /24

！

I am not sure whether the newly added commands will conflict with the original NAT configuration.

MHM Cisco World · ‎09-05-2024

If one inside and one outside sure it will conflict.

Do you want to check this case in my lab?

MHM

haininghuang3185 · ‎09-05-2024

It would be better if you can help test it in LAB

paul driver · ‎09-05-2024

Hello

@haininghuang3185 wrote:
I would like to know whether the third static NAT configuration will conflict with the previous two static NAT configurations?

What I want to achieve is that 192.168.2.100 and 192.168.2.101 are NATed to 172.25.139.241 and 172.25.139.242 respectively, and the other addresses of 192.168.2.0/24 are NATed to 192.168.61.0/24

no it should not conflict however, you do have another option and that would be to use an access-list .and deny those static nat from the inside local address range (192.168.2.0/24)

access-list 100 deny ip host 192.168.2.100 any
access-list 100 deny ip host 192.168.2.101 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any

no ip nat inside source static network 192.168.2.0 192.168.61.0 /24
ip nat pool POOL 192.168.61.1 192.168.61.254 prefix-length 24
ip nat inside source list 100 pool POOL

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

haininghuang3185 · ‎09-05-2024

I don't want to do dynamic NAT, because I want to implement one-to-one NAT for the entire network segment,
for example
192.168.2.1 NAT 192.168.61.1
192.168.2.2 NAT 192.168.61.2
192.168.2.3 NAT 192.168.61.3
....
192.168.2.253 NAT 192.168.61.253
192.168.2.254 NAT 192.168.61.254