Basic NAT question

0rsnaric · ‎10-23-2012

On a Cisco router is it possible to NAT to a block of IP addresses such that PAT only happens when the last IP address is used?

I used the nat overload command and as far as I can tell it's only using the first IP address in the pool. At what point, if ever, will it use the second, third, fourth, etc? When I didn't use overload, just told it to use the 5 IP address block, the 6th connection outbound failed.

My biggest concern is with IPSec VPN connections, which tend to fail on PAT connections through our ASA. Haven't been able to reproduce through the 2811 router yet...

ip nat pool internet X.X.26.129 X.X.26.132 netmask 255.255.255.248

ip nat inside source list 1 pool internet overload

access-list 1 permit 172.18.0.0 0.0.255.255

Let me know if I'm doing this wrong. On the ASA it's a lot easier, just define a single address following a group address command -

global (outside) 1 X.X.149.46-65.121.149.61

global (outside) 1 X.X.149.45

This uses the pool from 46 - 61, then does PAT on 45 for any additional matches.

Thanks.

cadet alain · ‎10-23-2012

Hi,

I didn't test but can you try something like this:

ip nat pool DYNPOOL X.X.26.129 X.X.26.132 netmask 255.255.255.248

ip nat pool PATPOOL X.X.26. 133 X.X.26.133 netmask 255.255.255.248

ip nat inside source list 1 pool DYNPOOL

ip nat inside source list 1 pool PATPOOL overload

Regards.

Alain

Don't forget to rate helpful posts.

0rsnaric · ‎10-23-2012

I'll give that a try tonight. Thanks.