cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3419
Views
4
Helpful
19
Replies

Getting warning IP nat pool too small

S Kumar
Level 1
Level 1

I want to NAT single inside IP to multiple outbound IP's based up on the destination subnet. For example :

My appserver should be natted to 10.10.1.10 for packets tx/rx toward customer1
My appserver should be natted to 10.10.2.10 for packets tx/rx toward customer2
My appserver should be natted to 10.10.3.10 for packets tx/rx toward customer3.

I have a router Cisco1921 with Gi0/1 configured with

 ip 192.168.1.1


I have an app server with IP address 192.168.1.10 and gateway 192.168.1.1
I have three customers connected to us using three private point to point circuits.
All the three circuits are connected to my layer 2 Ethernet switch C2960.
On Ethernet switch customer1 is in VLAN 10, customer 2 is in VLAN 20 and customer3 is on VLAN 30.
Cisco router 1921 Gi0/0 has three sub interfaces, one for each customer.I was thinking that I wll create three

ACL

and

NAT POOL

for each customer and use the

ACL

to assign the
seperate pool for each customer. I hit a road block,

ip NAT pool

gives me a warning when I try to create a pool with single ip it is asking for atleast netmask .252 and giving the following warning

Pool NAT-POOL-CUST3 mask 255.255.255.255 too small; should be at least 255.255.255.252

How can I NAT my single inside IP to multiple outbound IP's based upon the destination subnet?

!
interface GigabitEthernet0/1
description LOCAL INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description CUSTOMER1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description CUSTOMER2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
description CUSTOMER3
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
ip route 172.16.101.0 255.255.255.0 172.16.10.2
ip route 172.16.102.0 255.255.255.0 172.16.20.2
ip route 172.16.103.0 255.255.255.0 172.16.30.2
!

ip access-list extended ACL-NAT-CUST1
permit ip host 192.168.1.10 172.16.101.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST2
permit ip host 192.168.1.10 172.16.102.0 0.0.0.255
!
ip access-list extended ACL-NAT-CUST3
permit ip host 192.168.1.10 172.16.103.0 0.0.0.255
!

!
ip nat pool NAT-POOL-CUST1 10.10.1.10 10.10.1.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST2 10.10.2.10 10.10.2.10 netmask 255.255.255.255
ip nat pool NAT-POOL-CUST3 10.10.3.10 10.10.3.10 netmask 255.255.255.255
##I get the warning got the above three commands##
If I get past the warning then I was planning to use the following:
!
ip nat outside source list ACL-CUST1 pool NAT-POOL-CUST1 add-route
ip nat outside source list ACL-CUST2 pool NAT-POOL-CUST2 add-route
ip nat outside source list ACL-CUST3 pool NAT-POOL-CUST3 add-route
!

 

 

 

19 Replies 19

VPN traffic must not

NATing

 

VPN must override

NAT

Could you please elaborate? What are my options if I have to use

NAT

with IPSEC?
I have done

natting

on vpn traffic various times, my experience is more on

ASA

. This is the first time, I have to deal with this stuff on a router.

good luck

I think it should work.  Depends on inside/outside direction but assuming it's inside -> outside then the crypto map ACL should match the IP after NAT I believe.  But as always - test to confirm.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

ps. also never had trouble with sending NATed packets up VPN.

 

Rich,

Appreciate your response, I had already gone through the article you posted but I could not comprehend it. I changed the access list to post-

NAT IP

in my lab setup and it worked.

Review Cisco Networking for a $25 gift card