I was struggling with some Packet Tracer topology as I would like to describe a bit more as - suppose I have an Internet link that is NATed (overloaded) over a couple of private subnets (Trusted, i.e: 192.168.10.0/24, 192.168.12.0/24 etc). When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.
I would like to prevent this and deny all except the trusted subnet to be NATed. I have tried with a couple of ACLs on the outgoing interface of the router connected to the Internet. But it doesn't work as intended.
Can anyone help, please?
not really sure what you mean by this:
--> When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.
Where is 172.22.20.0/24 ? Which traffic (from where to where) do you want to exclude from being translated ?
Thank you for your reply. I would say I trust 192.168.10.0/24, 192.168.12.0/24 etc. But any of these host in the LAN segment can connect any router and eventually the router will get an IP address from the DHCP. So at this point, the router admin can do NAT on any other IP Subnet in the LAN side of the said router using trusted IP Subnet Host IP right? Therefore my question is how do I restrict any IP subnet other than the trusted one should work with NAT and get Internet access.
I got it. Check if your switches support a feature called 'auto smartport'. This triggers an action when e.g. a router is detected on one of the ports. In the example below, of a router is detetected, a macro is executed that puts that port in a non-working Vlan (Vlan 101 in this case):
Switch(config)#macro auto global processing
macro auto execute CISCO_ROUTER_EVENT builtin CISCO_SWITCH_AUTO_SMARTPORT ACCESS_VLAN=101
If you want to exclude uplink ports from the macro, do the below:
Switch(config-if)#no macro auto global processing
If that is not supported, I guess your only otion is to create a DHCP database, which contains all known MAC addresses, and assigns static bindings. If the MAC address is not in the database, no DHCP address will be assigned.
The basic premise of NAT is to hide addressing so unless you have external devices able to reach the non Natted internal subnets then those internal subnets should not get natted and be hidden externally to do that you don’t specify the internet subnet in may acl or if you wish for certain host in a natted subnet to not get natted then you add deny aces in the nat acl for those hosts