Re: Multiple NAT-ed interfaces?

jimwysocki · ‎05-15-2007

I have a Cisco 7200 with has multiple interfaces. I use services such as Yipes, that set up basically a direct connection to the remote site (usual on a private ip space). My only issue is that most of the services we connect to require us to use NAT on the interface. My question is, if it is possible to NAT multiple interfaces on a router. I have studied this a little bit and attempted to create a second NAT statement but every time I tried the previous interface that already has NAT applied looses it connection. I would hate to buy a dedicated router for every connection. Example is to have 192.168.1.1/24, 192.168.2.1/24 and 192.168.3.1/24 all on the same router and all NAT-ed

Jon Marshall · ‎05-15-2007

Hi Jim

If i understand correctly you should be able to do NAT on multiple interfaces. You can use the "ip nat inside" statement under each interface you want to NAT the source IP's and "ip nat outside" on the interface that you want the source IP addresses natted to.

If you want to multiple NAT outisde statements you can use route-maps with your NAT statements to do conditional NAT.

Could you post config of your 7200 with explanation of what you are natting from and to.

HTH

Jon

jimwysocki · ‎05-15-2007

Here is my current config what i want is to have eth 5/1 ip address 10.13.7.2 255.255.255.0. And I want all traffic coming from the 192.168.225.0 network to be NAT-ed when going out to the 10.13.7.0 network.

currently when i enter ip nat inside source static 192.168.225.103 10.13.7.2 it shuts down the previous nat. and if i create a access list (access-list 1 permit any any) and then the nat command ip nat inside source list 1 inte eth 5/1 overload. it also takes down the previous nat until the statement is removed

Current configuration : 2469 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret xxx

enable password xxx

!

ip subnet-zero

ip cef

!

call rsvp-sync

!

bridge irb

!

interface FastEthernet1/0

ip address 172.28.x.x 255.255.255.252

ip nat outside

duplex full

!

interface FastEthernet2/0

ip address 66.x.x.x 255.255.255.252

duplex full

speed 100

!

interface FastEthernet2/1

ip address 208.x.x.x 255.255.255.224

duplex full

speed 100

!

interface FastEthernet4/0

no ip address

ip nat inside

duplex full

bridge-group 10

!

interface Ethernet5/0

ip address 172.19.x.x 255.255.255.248

duplex full

!

interface Ethernet5/1

no ip address

ip nat outside

shutdown

duplex full

!

interface Ethernet5/2

no ip address

shutdown

duplex half

!

interface Ethernet5/3

no ip address

shutdown

duplex full

!

interface BVI10

ip address 192.168.225.3 255.255.255.0

ip nat inside

!

ip nat inside source static 10.214.67.204 192.168.225.30

ip classless

ip route 0.0.0.0 0.0.0.0 66.227.77.33 permanent

ip route 10.214.x.0 255.255.255.0 192.168.225.1 permanent

ip route 64.14.x.0 255.255.255.0 10.136.8.1

ip route 172.18.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.18.x.128 255.255.255.224 172.28.x.x permanent

ip route 172.18.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.19.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.20.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.21.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.28.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.29.x.0 255.255.255.0 172.28.x.x permanent

ip route 172.30.x.0 255.255.255.0 172.19.x.1

no ip http server

!

no cdp run

snmp-server community stipublic RO

snmp-server packetsize 2048

snmp-server enable traps tty

bridge 10 protocol ieee

bridge 10 route ip

!

dial-peer cor custom

!

gatekeeper

shutdown

!

line con 0

line aux 0

line vty 0 4

password xxx

login

line vty 5 15

password xxx

login

royalblues · ‎05-16-2007

If i understnd your problem correctly, you need to be able to NAT to a different IP when the same source is trying to access different destinations.

You would require NAT with route-maps for this.

NAT only uses access lists and route maps when it needs to create a translation entry. If a translation entry already exists that matches the traffic then the translation entry will be used; any access lists or route maps will not be consulted. The difference between using an access list or route map is the type of translation entry that will be created.

When NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information

Have a look at this link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

HTH, rate if it does

Narayan

jimwysocki · ‎05-16-2007

A better way to explain it is that 192.168.1.1 is my internal LANs interface. Lets just say 10.1.0.1 is a interface and 10.2.0.1 is another interface going to other LANs. I want all traffic coming from my internal interface (192.168.1.1) to show up as 10.1.0.1 when it goes out that interface or shows up as 10.2.0.1 if it is routed out that interface. I guess basically I need two outside interfaces.