Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
3
Replies

Are PAT and NAT compatible on one interface?

Ron Michaels
Level 1
Level 1

‎10-08-2012 01:47 PM - edited ‎03-04-2019 05:47 PM

I am currently using a PAT overload statement to get public addresses on internet traffic.

interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.140.0.1 255.255.254.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly

interface GigabitEthernet0/0.3
description Outside Interface
encapsulation dot1Q 3
ip address 64.22.229.210 255.255.255.248
ip access-group inbound_reflexive_fw_acl in
ip access-group outbound_reflexive_fw_acl out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
no cdp enable
crypto map Tunnel_to_MarkIV

ip nat inside source list No_Nat_ACL interface GigabitEthernet0/0.3 overload

But now they also want to NAT one address for the video conference unit 10.140.0.8 to 64.22.229.214.

When I put in a static NAT line - ip nat inside source static 10.140.0.8 64.22.229.214

I still can't get out to the internet for a video conference.

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎10-08-2012 03:34 PM

Hi Ron,

Using PAT and NAT like you did should be supported and should work. A couple of questions and hints:

  1. Why is the ACL used for NAT called No_Nat_ACL? What are the contents of this ACL? Please post it here.
  2. Check the show ip nat translation output to see if the 10.140.0.8 is correctly mapped to 64.22.229.214. I also suggest adding the IP address 10.140.0.8 to the ACL No_Nat_ACL with a deny action (i.e. a static mapping should be excluded from dynamic mapping)
  3. Do the ACLs inbound_reflexive_fw_acl and outbound_reflexive_fw_acl correctly permit the video traffic?

Best regards,

Peter

0 Helpful

Ron Michaels
Level 1
Level 1
In response to Peter Paluch

‎10-09-2012 01:12 PM

Peter,

Thanks for you help.  The No_Nat_ACL is where I have all of my deny statements for traffic inside our company and then an allow to NAT the rest. This is where I used your tip to deny the static NAT and it was working.

I already allowed traffic from the internet to this public address that then gets NATed to the private address.

Thanks again,

Ron

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Ron Michaels

‎10-09-2012 11:05 PM

Hi Ron,

So adding the static translation as a deny statement to the ACL helped?

By the way, I hope the No_Nat_ACL does not have a permit ip any any at its end. This would be a configuration that is claimed as unsupported by Cisco. Can you perhaps post the ACL here?

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card