Solved: Re: Getting warning IP nat pool too small - Page 2

S Kumar · ‎05-15-2023

I want to NAT single inside IP to multiple outbound IP's based up on the destination subnet. For example :

My appserver should be natted to 10.10.1.10 for packets tx/rx toward customer1
My appserver should be natted to 10.10.2.10 for packets tx/rx toward customer2
My appserver should be natted to 10.10.3.10 for packets tx/rx toward customer3.

I have a router Cisco1921 with Gi0/1 configured with

 ip 192.168.1.1

I have an app server with IP address 192.168.1.10 and gateway 192.168.1.1
I have three customers connected to us using three private point to point circuits.
All the three circuits are connected to my layer 2 Ethernet switch C2960.
On Ethernet switch customer1 is in VLAN 10, customer 2 is in VLAN 20 and customer3 is on VLAN 30.
Cisco router 1921 Gi0/0 has three sub interfaces, one for each customer.I was thinking that I wll create three

ACL

and

NAT POOL

for each customer and use the

ACL

to assign the
seperate pool for each customer. I hit a road block,

ip NAT pool

gives me a warning when I try to create a pool with single ip it is asking for atleast netmask .252 and giving the following warning

Pool NAT-POOL-CUST3 mask 255.255.255.255 too small; should be at least 255.255.255.252

How can I NAT my single inside IP to multiple outbound IP's based upon the destination subnet?

!
interface GigabitEthernet0/1
description LOCAL INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description CUSTOMER1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description CUSTOMER2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
description CUSTOMER3
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
ip route 172.16.101.0 255.255.255.0 172.16.10.2
ip route 172.16.102.0 255.255.255.0 172.16.20.2
ip route 172.16.103.0 255.255.255.0 172.16.30.2
!

ip access-list extended ACL-NAT-CUST1
permit ip host 192.168.1.10 172.16.101.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST2
permit ip host 192.168.1.10 172.16.102.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST3
permit ip host 192.168.1.10 172.16.103.0 0.0.0.255
!

!
ip nat pool NAT-POOL-CUST1 10.10.1.10 10.10.1.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST2 10.10.2.10 10.10.2.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST3 10.10.3.10 10.10.3.10 netmask 255.255.255.255
##I get the warning got the above three commands##

If I get past the warning then I was planning to use the following:
!
ip nat outside source list ACL-CUST1 pool NAT-POOL-CUST1 add-route
ip nat outside source list ACL-CUST2 pool NAT-POOL-CUST2 add-route
ip nat outside source list ACL-CUST3 pool NAT-POOL-CUST3 add-route
!

MHM Cisco World · ‎05-19-2023

VPN traffic must not

NATing

VPN must override

NAT

S Kumar · ‎05-19-2023

Could you please elaborate? What are my options if I have to use

NAT

with IPSEC?
I have done

natting

on vpn traffic various times, my experience is more on

ASA

. This is the first time, I have to deal with this stuff on a router.

MHM Cisco World · ‎05-19-2023

good luck

Rich R · ‎05-19-2023

I think it should work. Depends on inside/outside direction but assuming it's inside -> outside then the crypto map ACL should match the IP after NAT I believe. But as always - test to confirm.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

ps. also never had trouble with sending NATed packets up VPN.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

S Kumar · ‎05-19-2023

Rich,

Appreciate your response, I had already gone through the article you posted but I could not comprehend it. I changed the access list to post-

NAT IP

in my lab setup and it worked.