IP NAT outside and inside in the same interface

christian.pinedo · ‎01-11-2012

Hello,

I have a problem I haven't had previously. I have a router with 3 interfaces:

interface 1

Public addressing

ip nat outside

(default gateway interface)

interface 2

Private addressing

ip nat inside

interface 3

one public address

one private address

ip nat inside and outside????

I have difficulties to understand Cisco IP NAT when there are more than 2 interfaces (one with ip nat inside and another with ip nat outside)... In this case, how can configure interface 3?

* The private addresses needs to be NATed when it goes to internet (interface 1) but this network should be reacheable from interface 2 without natting.

* The public address should be routed (without NAT) to internet (through interface 1) and shouldn't access interface 2.

How would you solve this? Thanks,

Christian

andrew.gee · ‎01-11-2012

Hi Christan,

Here's one possible solution:

Configure I/Face 3 as "nat inside"

!

interface 3

ip nat inside

!

Then for your 1 x private address device, use the "ip nat inside source" cmd in conjuction with an access list & nat pool to ONLY NAT traffic to the internet -

i.e

If the traffic is to the internet, the ACL will match /permit it and the traffic is therefore NATed

On the other hand, if the traffic is to interface 2, then the ACL should not match /deny and the traffic will not be NATed.

!

ip nat pool letmeout 10.10.10.1 10.10.10.1 prefix 24

!

ip nat inside source list 101 pool letmeout

!

access-list 101 permit ip < Internet destination(s)>

!

You can finetune the ACL to your requirements.

Similarly you can use an interface ACL to block the public IP host device from accessing i/face 2.

Hope this helps!

Cheers

Drew

BTW -

Just curious as to why the single private host on interface 3 was not located on interface 2? (probably a long story!)

christian.pinedo · ‎01-11-2012

Thank you Andrew, really good contribution. I have private and public addresses in the same VLAN because of some restrictions of a third-vendor network equipment. There is no other solution :-(.

So with this solution I would have 2 inside interfaces and only 1 outside interface. When is checked the access-list 101? only when there is traffic between a inside interface and one outside interface? Because in that case I could only use a basic access-list """access-list 1 permit ip """... But if the ACL is checked also in traffic between one inside interface and another inside interface I would have to use the extended access-list....

One additional question... When a packet is checked againts the ACL 101 if the packet doesn't satisfay the ACL the packet is routed without natting or is directly discarded??

Thanks again.

Christian

andrew.gee · ‎01-11-2012

Hi Christian,

Yes you will have two inside NAT + one outside interfaces.

Here's a Cisco NAT reference stating examples with more than one inside interface:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

You can use either a basic or extended ACL - really depends on your NATing requirements and how granular for the ACL to "match".

As the ACL is only associated with the "ip nat source inside" cmd ie NAT related only, it won't be used for non-NAT routing. The ACL is purely used as a NATing test criteria - if a packet is match then NAT it, if not then the router with handle it as a non-NAT packet - the ACL implied "deny" in this case stops it from being NATed, not dropped.

Cheers

Drew

christian.pinedo · ‎01-11-2012

Ok All clear now. Thank you again Andrew.

Regards,

Christian