cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
0
Helpful
7
Replies

Is it possible to route multiple networks out to multiple public assigned IP addresses on the same subnet and use NAT overload

psaunders
Level 1
Level 1

I have three internal vlans that I would like to each have a dedicated public IP Address using NAT overload. I would like traffic from each internal vlan to use NAT  however all the public IP addresses reside on the same subnet and on a single 10GB port on a 6500 with VS-S720-10G

This is what i am trying to do.

vlan 101 IP address 192.168.101.0 255.255.255.0

vlan 102 IP address 192.168.102.0 255.255.255.0

vlan 103 IP address 192.168.103.0 255.255.255.0

vlan 10 IP address 10.10.101.0 255.255.255.0

 

192.168.101.0 255.255.255.0 NAT with overload to 10.10.101.11
192.168.102.0 255.255.255.0 NAT with overload to 10.10.101.12
192.168.103.0 255.255.255.0 NAT with overload to 10.10.101.13

Static NAT 10.10.101.11  to 216.10.10.11
Static NAT 10.10.101.12  to 216.10.10.12
Static NAT 10.10.101.13  to 216.10.10.13

Below is a sample of the config but i need help figuring out a few areas

 

6500 config

Configure VLANs

config t
vlan 101
int vlan 101
ip address 192.168.101.1 255.255.255.0
vlan 102
int vlan 102
ip address 192.168.102.1 255.255.255.0
vlan 103
int vlan 103
ip address 192.168.103.1 255.255.255.0
vlan 10
Int vlan 10
ip address 10.10.101.1 255.255.255.0


Configure DHCP for VLANS
config t
ip dhcp pool Vlan 101
network 192.168.101.0 255.255.255.0
domain Test 101
dns-server 8.8.8.8
default-router 192.168.101.1
exit
ip dhcp excluded-address 192.168.101.1 192.168.101.50

config t
ip dhcp pool Vlan 102
network 192.168.102.0 255.255.255.0
domain Test 102
dns-server 8.8.8.8
default-router 192.168.102.1
exit
ip dhcp excluded-address 192.168.102.1 192.168.102.50

config t
ip dhcp pool Vlan 103
network 192.168.103.0 255.255.255.0
domain Test 103
dns-server 8.8.8.8
default-router 192.168.103.1
exit
ip dhcp excluded-address 192.168.103.1 192.168.103.50


Configure interfaces
config t
interface GigabitEthernet5/1
description Internet Access
ip address 216.10.10.101 255.255.255.0
ip address 216.10.10.102 255.255.255.0 secondary
ip address 216.10.10.103 255.255.255.0 secondary


config t
interface vlan 101
ip nat inside
interface vlan 102
ip nat inside
interface vlan 103
ip nat inside
exit

What do i use as my IP NAT OUTSIDE ???

access-list 100 remark == [Control NAT Service]==
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
access-list 102 permit ip 192.168.102.0 0.0.0.255 any
access-list 103 permit ip 192.168.103.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.12 0.0.0.255 any
access-list 102 permit ip 10.10.10.16 0.0.0.255 any
access-list 103 permit ip 10.10.10.17 0.0.0.255 any

 

What interface should I use for NAT overload??


ip nat inside source list 100 ??? overload
ip nat inside source list 101 ??? overload
ip nat inside source list 102 ??? overload

ip nat source static 10.10.101.11 216.10.10.101
ip nat source static 10.10.101.12 216.10.10.102
ip nat source static 10.10.101.13 216.10.10.103

**********************************************************************

config t
ip route 0.0.0.0 0.0.0.0 216.10.10.1
exit

 

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Try this configuration -

1) remove the secondary IPs from gi5/1 and make sure proxy arp is enabled on gi5/1.

Without proxy arp it won't work.

You also need to enable "ip nat outside" on that interface.

2) using your acls from above and creating NAT pools for the IPs not assigned to the interface -

access-list 101 permit ip 192.168.101.0 0.0.0.255 any
access-list 102 permit ip 192.168.102.0 0.0.0.255 any
access-list 103 permit ip 192.168.103.0 0.0.0.255 any

ip nat pool IP1 206.10.10.102 206.10.10.102 netmask 255.255.255.248
ip nat pool IP2 206.10.10.103 206.10.10.103 netmask 255.255.255.248

ip nat inside source list 101 interface gi5/1 overload
ip nat inside source list 102 pool IP1 overload
ip nat inside source list 103 pool IP2 overload

note NAT pool IP1 could probably use a 255.255.255.252 netmask but not IP2 so I just used the same for consistency but it's up to you.

I have used this before but you should check you are seeing the right translation when you test it out. The netmask on the NAT pool should just be a consistency check to make sure your IP is not either the network or broadcast address (hence the reason you could use a different mask for IP1) but obviously in the above the IP in pool IP2 actually falls within the 255.255.255.248 range in the first pool.

It shouldn't matter because like I say it is only a check but you need to verify.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Why are you doing NAT overload to one IP then changing that IP to another IP.

Why not just NAT overload the private IP subnets direct to the 206.10.10.x IPs ?

And why do you have secondary IPs on gi5/1 ?

Jon

Jon Marshall
Hall of Fame
Hall of Fame

Try this configuration -

1) remove the secondary IPs from gi5/1 and make sure proxy arp is enabled on gi5/1.

Without proxy arp it won't work.

You also need to enable "ip nat outside" on that interface.

2) using your acls from above and creating NAT pools for the IPs not assigned to the interface -

access-list 101 permit ip 192.168.101.0 0.0.0.255 any
access-list 102 permit ip 192.168.102.0 0.0.0.255 any
access-list 103 permit ip 192.168.103.0 0.0.0.255 any

ip nat pool IP1 206.10.10.102 206.10.10.102 netmask 255.255.255.248
ip nat pool IP2 206.10.10.103 206.10.10.103 netmask 255.255.255.248

ip nat inside source list 101 interface gi5/1 overload
ip nat inside source list 102 pool IP1 overload
ip nat inside source list 103 pool IP2 overload

note NAT pool IP1 could probably use a 255.255.255.252 netmask but not IP2 so I just used the same for consistency but it's up to you.

I have used this before but you should check you are seeing the right translation when you test it out. The netmask on the NAT pool should just be a consistency check to make sure your IP is not either the network or broadcast address (hence the reason you could use a different mask for IP1) but obviously in the above the IP in pool IP2 actually falls within the 255.255.255.248 range in the first pool.

It shouldn't matter because like I say it is only a check but you need to verify.

Jon

Jon,

I had tried this setup but for some reason i can't create a NAT pool  see output from router below

Router(config)#ip nat pool
                      ^
% Invalid input detected at '^' marker.

Router(config)#ip nat ?
  create       Create flow entries
  inside       Inside address translation
  log          NAT Logging
  service      Special translation for application using non-standard port
  translation  NAT translation entry configuration

Router(config)#ip nat

As you can see there is no POOL option for me to create the pool.

Well that's a bit surprising :-)

What IOS version and feature set are you using ?

What is vlan 10 for ie, is it just for the NAT ?

The other approach is to use loopback interfaces. You obviously can't assign the public IPs direct because you will get an overlapping subnet message but you could use an unused IP range or vlan 10 IPs if it just for NAT and overload on them and then do a static NAT as you were proposing.

You still don't need the other public IPs as secondary IPs as long as gi5/1 has proxy arp enabled.

I can test that setup out for you (not on a 6500 but the principle is the same) but I am really surprised you can't create a NAT pool.

Perhaps it is not supported ?

Jon

 

Thanks Jon, 

Running IP BASE, looks like that's my issue.........

I have scrapped the vlan 10 idea, you are right there is not point in doing NAT overload to one IP then changing that IP to another IP

once i get the correct IOS on there i will give it another shot, DUH!

Thanks for the help

Just to clarify.

I don't know for sure that the 6500 does support that command even with a different feature set unless you have found out otherwise ?

Just didn't want you to assume I was saying it was.

Jon

It does, all set i just need the correct IOS. All good thanks for the help

 

Review Cisco Networking for a $25 gift card