Mutiple NAT pools for mutiple WAN circuits

Pete89 · ‎07-22-2010

I have a 3845 with a one T1 we use for public DNS queries and DNS transfers. We are doing NAT on the outside. Nothing else is on that T1. It’s only for DNS.

Now I am adding a DS3 circuit on the same 3845 for Internet access for users on my LAN. We are going to NAT on the outside as well. How can I set up different NAT pools for different interfaces? Does anyone have an example of what that looks like?

Many thanks for all help!

syed.raza · ‎07-29-2010

ip nat inside source access-list 101 interface DS3 overload

access-list 101 will contain allowed subnets to be natted to DS3 and the overload keyword is basically saying that this is a PAT and not NAT.

maybe you can have the same nat statement for the DNS so that you can control what gets translated on this router.

Hope this helps

Regards

Syed

Marwan ALshawi · ‎07-29-2010

use the bellow document and this will help you to configure it

https://supportforums.cisco.com/docs/DOC-831

note:

the bellow route-maps very importanant

oute-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

for more details refer to the above link

also in this document you see the NAT configured something like

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

however you you want to use NAT pools you can ccreat two pools for exampel pool1 and pool 2

then apply each on to the right NAT line ( where the route map match the OUTGOUNG interface

good luck

if helpful Rate

Pete89 · ‎08-05-2010

OK I am trying to understand this. I dont want to break anything like DNS so my next question would be:

Can I keep the current config as is and introduce policy NATing for the new DS3 circuit without touching the old stuff?

Pete89 · ‎08-05-2010

Here is the current config. Like I said before the T1 is used for public DNS qureies and zone transfers only.If you need to see more I can supply...

ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
ip nat inside source static 10.1.4.221 175.211.21.206
ip nat inside source static 192.168.40.11 209.99.98.21
ip nat inside source static 192.168.40.12 209.99.98.22
ip nat outside source list NAT_outside pool nat_pool_outside

interface Serial0/0/0:1
description Qwest - T1
ip address 63.63.63.138 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside

interface GigabitEthernet0/0.10
description to Edge Firewall
encapsulation dot1Q 10
ip address 172.31.1.8 255.255.255.240
ip nat inside

ip route 0.0.0.0 0.0.0.0 63.63.63.137

192.168.40.11

192.168.40.12 are the DNS servers on the DMZ

Like I said, I have a new DS3 where VPN users are going to come in. The FW will put them in a subnet and then I will route map based on that sunbet?

Confused...

Nagaraja Thanthry · ‎08-05-2010

Hello,

You could use NAT virtual interface for what you are trying to acheive.

interface

no ip nat outside

ip nat enable

exit

interface

no ip nat inside

ip nat enable

exit

Once this is done, remove all the NAT confiugrations and reenter them:

no ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
no ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
no ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
no ip nat inside source static 10.1.4.221 175.211.21.206
no ip nat inside source static 192.168.40.11 209.99.98.21
no ip nat inside source static 192.168.40.12 209.99.98.22
no ip nat outside source list NAT_outside pool nat_pool_outside

ip nat pool nat_pool_outside 10.248.0.1 10.251.255.254 netmask 255.252.0.0
ip nat pool nat_pool_qwest_t1_outside 209.99.99.99 209.99.99.99 netmask 255.255.255.252
ip nat inside source list internet-OUT pool nat_pool_qwest_t1_outside overload
ip nat inside source static 10.1.4.221 175.211.21.206
ip nat inside source static 192.168.40.11 209.99.98.21
ip nat inside source static 192.168.40.12 209.99.98.22
ip nat outside source list NAT_outside pool nat_pool_outside

Then, you need to configure PBR for the DNS traffic:

access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 53

route-map DNS

match ip address 101

set ip next-hop

exit

interface

ip policy route-map DNS

exit

This will ensure that DNS traffic goes through T1 and uses T1 pool where as all other traffic goes through DS3 and uses appropriate pool.

Hope this helps.

Regards,

NT

Pete89 · ‎08-05-2010

OK so in your solution you say:

interface

no ip nat outside

ip nat enable

exit

We are talking about the T1 interface here right? Or our we creating a interface? Never heard if NAT vitual interface.

Also, would I want to remove the default route in I am using the route -maps?

Many thanks,

P.

Nagaraja Thanthry · ‎08-05-2010

Hello,

We are talking about the T1 interface. When you just enable NAT on the interface, the router creates a virtual NAT interface (NVI) and applies all nat rules via that interface. So, based on the exit interface, the NVI will apply the NAT rules.

BTW, you need to do the same i.e. enable NAT on the DS3 interface as well.

Hope this helps.

Regards,

NT

Pete89 · ‎08-05-2010

Thanks for answering my post. I really appreciate it!

But if I have different NAT policies for the T1 and DS3, how can apply the different policies to the phsical interfaces?

Sorry if you have already explained this.

MANY MANY Thanks!

Nagaraja Thanthry · ‎08-05-2010

Hello,

When you use Nat Virtual Interface (NVI), the router will apply NAT rules as per your configuration i.e. if you define a different rule for T3 interface than T1, then the NVI will apply those rules accordingly.

Hope this helps.

Regards,

NT