Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
0
Helpful
6
Replies

Conditional NAT based on NOT going to a specific destination

mikehallevms
Level 1
Level 1

‎04-08-2020 04:21 AM

Good day, Need a little assistance.

I need IP 192.168.1.1 to be nat’d to 100.1.1.2 for internet access when the destination is NOT 10.10.10.0/24(tunnel destination). Egress interface is the same. Can anyone provide an example of this?

 

much appreciated 

Labels:
0 Helpful
6 Replies 6

pieterh
VIP
VIP

‎04-08-2020 05:57 AM

you can have multiple NAT statements using  the same egress interface.

 

use an access-list for "interesting traffic" for the VPN (maybe al ready present for NAT or noNAT to the VPN?)

permit traffic to the 10.10.10.0/24 destination

deny all other traffic

 

create another access-list 

deny traffic to the 10.10.10.0/24 destination

permit 192.168.1.1 to any (or whatever but not 10.10.10.0/24)

use this access-list to nat 192.168.1.1 to 100.1.1.2 

 

details can be found in this document

0 Helpful

mikehallevms
Level 1
Level 1
In response to pieterh

‎04-08-2020 06:28 AM

It would be a static nat. The IP’s I’ve given are just an example, not the actual ones. Thanks

0 Helpful

mikehallevms
Level 1
Level 1
In response to pieterh

‎04-08-2020 06:31 AM

Here is an example from another message on this forum: I assume this is what I would need, correct? Thanks all!

 

Re: Static NAT with exclusion

access-list 101 deny ip host 192.168.100.6 192.168.200.0 0.0.0.255

access-list 101 permit ip host 192.168.100.6 any

 

route-map transStatic permit 10

match ip address 101

 

ip nat inside source static 192.168.1.6 172.16.0.1 route-map transStatic

 

int x/x

ip nat inside

int x/y

ip nat outside

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to mikehallevms

‎04-08-2020 06:44 AM

Hi,

 

   Yes, use a route-map with the ACL, for static NAT you have to use a route-map, but in general, policy NAT can only work with route-maps.

   With your given example, 192.168.100.6 will get NAT'ed into 172.16.0.1 when accessing any destination except 192.168.200.0/24. For reverse session initiation, if you also want that all hosts except 192.168.200.0/24 to be allowed reaching 172.16.0.1/192.168.100.6, add the "reversible"  keyword at the end of your NAT statement.

 

Regards,

Cristian Matei.

0 Helpful

pieterh
VIP
VIP
In response to mikehallevms

‎04-08-2020 06:58 AM

this sequence of commands you need for the NAT.

 

but you mentioned using a tunnel

if all 192.168.100.0/24 is normally sent through the tunnel, and you want to bypass the tunnel for traffic from 192.168.100.6 

you need to adjust the ACL that is used for the tunnel traffic 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎04-08-2020 06:17 AM

Hi,

 

 Can you post your current NAT config, so we can work based on that? It's not clear if you want a static NAT for 192.168.1.1 or dynamic NAT or PAT?

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card