Hi @Giuseppe Larosa  and @Jon Marshall ,

I have read your replies but do not understand.

Should I leave my g0/0 interface on "ip nat outside"?

Also, what should I deny??

@Jon Marshall , To answer your question, my LAN only has one subnet which is /24, so do I deny only that one line??

Yes leave the "ip nat outside". 

Look at the example I have given ie. you need to add deny lines for the remote branch subnets whatever they are and then you need the permit at the end for your LAN to get to the internet as described by Giuseppe. 

I am not sure how to explain it any clearer. 

Jon

Hi Jon,

This is what I have done according to your advice. Again, maybe I did not understand what you were saying but it didn't work

#sh access-lists
Extended IP access list 110
10 deny ip 192.168.8.0 0.0.0.255 any (597 matches)   (so you said I should first deny LAN access)
20 permit ip 192.168.8.0 0.0.0.255 any                         (Then I should permit it)
30 permit ip any any (201 matches)

Am I on track?

Hello @Jonathan Nali ,

unfortunately your extended ACL is wrong as the first line prevents NAT to happen for whatever destination.

#sh access-lists
Extended IP access list 110
10 deny ip 192.168.8.0 0.0.0.255 any (597 matches) (so you said I should first deny LAN access)
20 permit ip 192.168.8.0 0.0.0.255 any (Then I should permit it)
30 permit ip any any (201 matches)

First list the IP subnets of the branch offices that you need to reach WITHOUT NAT

example 192.168.12.0/24

The logic for using an extended ACL with NAT is the following:

first you deny the traffic coming from internal LAN and destined to internal destinations that do not need NAT

Later you permit traffic coming from your local internal LAN to any = Internet and this means it will be NATTed

access-list 115 remark NAT example

access-list 115 deny ip 192.168.8.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 115 permit ip 192.168.8.0 0.0.0.255 any

the ip nat outside has to remain on your Internet facing interface. It is the ACL that has to provide the intelligence to perform a selective NAT.

Hope to help

Giuseppe

Hi @Giuseppe Larosa ,

after reading your reply 100 times and rewatching ACL tutorials, I now understand what you are saying here:

"

In this way the router will understand that it should NAT only when going to the Internet as desired.

"

the problem is, I don't know what to deny. Can I deny they same network I am trying to permit?

Nali

Hello,

what are the IP address ranges of your branches (e.g. 192.168.4.0/24) ?

Hi @Georg Pauwen ,

My branch office is 192.168.8.0/24 and to reach my HQ packets have to go through 192.168.124.0/32 to reach our HQ on 10.10.1.0/24

I hope this makes sense.

Hi @Giuseppe Larosa ,

One last question. On the same network I can now ping HQ from branch but I cannot ping from HQ to branch. So, do I put access-lists on the LAN side as well? I have tried this on the g0/1 (LAN) interface but not success. 

From HQ(10.10.1.0/24) I can ping only upto the LAN interface (192.168.8.3)

How do I fix this?

Nali

Ok, I finally understood and got it right, thank you.

Add a deny statement to the other network and then the permit so that it only does NAT translations when going to the internet. 

Thank you again @Jon Marshall  and @Giuseppe Larosa 

Nali