Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1940
Views
15
Helpful
6
Replies

How to Twice-NAT(Nat-exempt and overload) On IOS

Aaron_un
Level 1
Level 1

‎03-02-2021 11:04 AM - edited ‎03-02-2021 11:29 AM

This is how I do it on ASA

object network L2L_NAT_OVERLOAD_IP
 host 10.200.255.1

object network L2L_NAT_DST
 subnet 172.1.1.0 255.255.255.0

nat (INSIDE, OUTSIDE) source dynamic LAN_INTERNAL L2L_NAT_OVERLOAD_IP destination static L2L_NAT_DST L2L_NAT_DST

 

this command will overload all the internal ips that are heading through tunnel, while It exempting this traffic that heads to L2L_NAT_DST from being natted by another general(all packets) overload nat command

 

how can I achieve the same thing on IOS?

so imagine I have this nat line on my IOS which I don't want to be trapped by and jump over it and at the same time I want to overload my outgoing traffic heading to ipsec destination networks with another IP

 

ip nat inside source list 1 interface GigabitEthernet0/0 overload

^ so this command is not in my interest, this has to be there for the whole network internet

aside from this one I need to add(simulate asa nat) another nat to exempt the traffic from this^ nat and at the same time overload the sources of those packets that are exempted with a single ip:many ports fashion

Labels:
0 Helpful
6 Replies 6

paul driver
VIP
VIP

‎03-02-2021 12:21 PM

Hello

If i understood, you wish to NOT to perfrom nat for traffic between 172.1.1.0/24 and host 10.200.255.1 but NAT for any other traffic sourced from 172.1.1.0/24?

If so example below:

ip access-list extended NAT
deny ip 172.1.1.0 0.0.0.255 host 10.200.255.1
permit ip 172.1.1.0 0.0.0.255 any
ip nat inside source list NAT interface x/x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Aaron_un
Level 1
Level 1
In response to paul driver

‎03-02-2021 01:06 PM - edited ‎03-02-2021 01:15 PM

no that's not true.

IPs with the DST 172.1.1.0 255.255.255.0, shouldn't be NATted by other nats, but I still want to NAT their source IP with overload method to 10.200.255.1, while the general overload of my outside interface is still doing its job, by overload patting all insides 0.0.0.0/0 traffic with outside interface IP.

0 Helpful

paul driver
VIP
VIP
In response to Aaron_un

‎03-02-2021 01:15 PM - edited ‎03-02-2021 01:15 PM

Hello

Okay then just change the acl to acomodate what you dont wont to NAT between source /destination

 

ip access-list extended NAT
deny ip  <inside lan subnet> 172.1.1.0 0.0.0.255
permit ip <inside lan subnet> any
ip nat inside source list NAT interface x/x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Aaron_un
Level 1
Level 1
In response to paul driver

‎03-02-2021 01:18 PM - edited ‎03-02-2021 01:20 PM

sir that's the thing it's not that easy, again and again, this is not only nat exempt, it's nat exempt and overload nat at the same time.

by nat exempt I am trying to escape from the OVERLOAD ALL which is common on all networks, but still I need to nat the traffic(source ips) that already exempted to another source ip(10.200.255.1).

 

 

you command accomplishes this

nat (INSIDE, OUTSIDE) source dynamic LAN_INTERNAL LAN_INTERNAL destination static L2L_NAT_DST L2L_NAT_DST

not this

nat (INSIDE, OUTSIDE) source dynamic LAN_INTERNAL L2L_NAT_OVERLOAD_IP destination static L2L_NAT_DST L2L_NAT_DST

 

0 Helpful

Scott Leport
Level 7
Level 7

‎03-03-2021 11:34 AM - edited ‎03-03-2021 11:36 AM

Hi,

 

If I have understood you correctly, you want to translate the inside subnet to 10.200.255.1 when communicating through the VPN tunnel and 10.200.255.1 is also your NAT overload address?

This seems a bit broken to me, but perhaps the following config might help?

 

ip access-list extended ACL-NAT

 permit ip <your inside subnet> <wildcard mask> any

 

route-map RMAP-NAT

 match ip address ACL-NAT

 

ip nat inside source list RMAP-NAT int gi0/0 overload

 

ip access-list extended VPN-TRAFFIC

 deny ip host 10.200.255.1 192.168.1.0 0.0.0.255 (modify destination subnet to fit your needs)

 permit ip host 10.200.255.1 any

 

 

 

 

Aaron_un
Level 1
Level 1
In response to Scott Leport

‎03-06-2021 09:59 PM - edited ‎03-06-2021 10:36 PM

I am sorry,

let me put the other nat as well, but remember if you don't understand this ASA command, the more I verbalize this in english the harder it gets, I am trying to simulate the same command here on router

object network L2L_NAT_OVERLOAD_IP
 host 10.200.255.1

object network L2L_NAT_DST
 subnet 172.1.1.0 255.255.255.0

#ips that are heading to the other side of the tunnel will be natted to 10.200.255.1 and exempted by the whole network nat overload command
nat (INSIDE, OUTSIDE) source dynamic LAN_INTERNAL L2L_NAT_OVERLOAD_IP destination static L2L_NAT_DST L2L_NAT_DST

#the whole network nat overload command
object network NET_OVERLOAD
  subnet 0.0.0.0/0
  nat (INSIDE, OUTSIDE) source dynamic interface

 

Ok I think this is what I was looking for

 

 

ip nat pool test-robot 10.200.255.1 10.200.255.1 netmask 255.255.255.255 ip nat inside source list RMAP-NAT pool test-r overload

ip access-list extended ACL-LAN
 permit ip any 172.1.1.0/24

route-map RMAP-NAT
 match ip address ACL-LAN

ip access-list extended NAT-Exempt
 deny ip any 172.1.1.0/24
 permit any any
 
ip nat inside source list NAT-Exempt interface x/x
ip nat inside source list RMAP

 

0 Helpful
Customers Also Viewed These Support Documents