cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
554
Views
0
Helpful
4
Replies
Highlighted
Beginner

How to allow NAT for Trusted Subnet only?

Hi All, 

I was struggling with some Packet Tracer topology as I would like to describe a bit more as - suppose I have an Internet link that is NATed (overloaded) over a couple of private subnets (Trusted, i.e: 192.168.10.0/24, 192.168.12.0/24 etc). When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.

I would like to prevent this and deny all except the trusted subnet to be NATed. I have tried with a couple of ACLs on the outgoing interface of the router connected to the Internet. But it doesn't work as intended. 

Can anyone help, please? 

4 REPLIES 4
Highlighted
VIP Expert

Hello,

 

not really sure what you mean by this:

 

--> When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.

 

Where is 172.22.20.0/24 ? Which traffic (from where to where) do you want to exclude from being translated ?

Highlighted

Hi, 

Thank you for your reply. I would say I trust 192.168.10.0/24, 192.168.12.0/24 etc. But any of these host in the LAN segment can connect any router and eventually the router will get an IP address from the DHCP. So at this point, the router admin can do NAT on any other IP Subnet in the LAN side of the said router using trusted IP Subnet Host IP right? Therefore my question is how do I restrict any IP subnet other than the trusted one should work with NAT and get Internet access. 

Highlighted

Hello,

 

I got it. Check if your switches support a feature called 'auto smartport'. This triggers an action when e.g. a router is detected on one of the ports. In the example below, of a router is detetected, a macro is executed that puts that port in a non-working Vlan (Vlan 101 in this case):

 

Switch(config)#macro auto global processing
macro auto execute CISCO_ROUTER_EVENT builtin CISCO_SWITCH_AUTO_SMARTPORT ACCESS_VLAN=101

 

If you want to exclude uplink ports from the macro, do the below:

 

Switch(config)#interface X
Switch(config-if)#no macro auto global processing

 

If that is not supported, I guess your only otion is to create a DHCP database, which contains all known MAC addresses, and assigns static bindings. If the MAC address is not in the database, no DHCP address will be assigned.

 

https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpsv.html#wp1114734

Highlighted
VIP Mentor

Hello

The basic premise of NAT is to hide addressing so unless you have external devices able to reach the non Natted internal subnets then those internal subnets should not get natted and be hidden externally to do that you don’t specify the internet subnet in may acl or if you wish for certain host in a natted subnet to not get natted then you add deny aces in the nat acl for those hosts 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future