Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1203
Views
0
Helpful
4
Replies

How to allow NAT for Trusted Subnet only?

AKM.Saiede
Level 1
Level 1

‎11-18-2020 12:53 AM

Hi All, 

I was struggling with some Packet Tracer topology as I would like to describe a bit more as - suppose I have an Internet link that is NATed (overloaded) over a couple of private subnets (Trusted, i.e: 192.168.10.0/24, 192.168.12.0/24 etc). When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.

I would like to prevent this and deny all except the trusted subnet to be NATed. I have tried with a couple of ACLs on the outgoing interface of the router connected to the Internet. But it doesn't work as intended. 

Can anyone help, please? 

0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎11-18-2020 01:12 AM

Hello,

 

not really sure what you mean by this:

 

--> When any of the underlying trusted subnet IP is NATed with any other IP Subnet (I would say untrusted - 172.22.20.10/24) can have Internet access as the source IP would form the trusted pool.

 

Where is 172.22.20.0/24 ? Which traffic (from where to where) do you want to exclude from being translated ?

0 Helpful

AKM.Saiede
Level 1
Level 1
In response to Georg Pauwen

‎11-18-2020 02:18 AM

Hi, 

Thank you for your reply. I would say I trust 192.168.10.0/24, 192.168.12.0/24 etc. But any of these host in the LAN segment can connect any router and eventually the router will get an IP address from the DHCP. So at this point, the router admin can do NAT on any other IP Subnet in the LAN side of the said router using trusted IP Subnet Host IP right? Therefore my question is how do I restrict any IP subnet other than the trusted one should work with NAT and get Internet access. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to AKM.Saiede

‎11-18-2020 04:57 AM

Hello,

 

I got it. Check if your switches support a feature called 'auto smartport'. This triggers an action when e.g. a router is detected on one of the ports. In the example below, of a router is detetected, a macro is executed that puts that port in a non-working Vlan (Vlan 101 in this case):

 

Switch(config)#macro auto global processing
macro auto execute CISCO_ROUTER_EVENT builtin CISCO_SWITCH_AUTO_SMARTPORT ACCESS_VLAN=101

 

If you want to exclude uplink ports from the macro, do the below:

 

Switch(config)#interface X
Switch(config-if)#no macro auto global processing

 

If that is not supported, I guess your only otion is to create a DHCP database, which contains all known MAC addresses, and assigns static bindings. If the MAC address is not in the database, no DHCP address will be assigned.

 

https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpsv.html#wp1114734

0 Helpful

paul driver
VIP
VIP

‎11-18-2020 05:09 AM - edited ‎11-18-2020 05:11 AM

Hello

The basic premise of NAT is to hide addressing so unless you have external devices able to reach the non Natted internal subnets then those internal subnets should not get natted and be hidden externally to do that you don’t specify the internet subnet in may acl or if you wish for certain host in a natted subnet to not get natted then you add deny aces in the nat acl for those hosts 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card