Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1782
Views
5
Helpful
7
Replies

NAT a specific host outbound to a specific public IP, not the NAT pool

Go to solution
jbankstonps
Level 1
Level 1

‎08-25-2022 09:06 AM - last edited on ‎08-26-2022 02:33 AM by Community Manager

I have a NAT issue that has been nagging me forever.

My Internet router has nat overload pool configured for PAT outbound from the internal RFC-1918 network. This works fine. I have inside source nat configured for inbound NAT of a public IP to a host inside RFC-1918 IP. This too works fine.

But..... I want that same inside host when going outbound to the internet to nat outbound using the same public as the inside uses. When the inside host goes outbound right now, its public IP is shown as the router's interface IP in the PAT pool and not the static NAT.

IP fudged to protect security.

router outside interface: 1.1.1.1

host IP: 172.16.14.14

static inside source NAT: 172.16.14.14 NATs to 1.1.1.10 for inbound traffic

Can this be done so host's outbound traffic flow shows coming from 1.1.1.10 instead of the 1.1.1.1 PAT pool?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎08-25-2022 12:39 PM - last edited on ‎08-26-2022 02:35 AM by Community Manager

Hello

@jbankstonps wrote:

static inside source NAT: 172.16.14.14 NATs to 1.1.1.10 for inbound traffic

Can this be done so host's outbound traffic flow shows coming from 1.1.1.10 instead of the 1.1.1.1 PAT pool?

Deny that inside host from your dynamic pat acl and then create a static nat statement.
Example:


access-list 100 deny host 172.16.14.14 any
access-list 100 permit ip 172.16.14.0 0.0.0.255 any
ip nat inside source-list 100 interface <wan> overload
ip nat inside source static 172.16.14.14 1.1.1.10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎08-25-2022 09:11 AM

small lab and share result soon 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-25-2022 09:40 AM - last edited on ‎08-26-2022 02:34 AM by Community Manager

I do small lab and success 
in dynamic NAT instead of use list use

route-map

as following 

 


ip nat inside source
 route-map
ANY interface X/X overload 
!
route-map ANY permit 10
match ip address 100 
!
ip access-list extended 100 
permit ip <LAN><LAN MASK> any 

 

0 Helpful

Go to solution
jbankstonps
Level 1
Level 1
In response to MHM Cisco World

‎08-25-2022 10:14 AM - last edited on ‎08-26-2022 02:38 AM by Community Manager

not what I was looking for.

all other inside hosts go outbound using the PAT interface nat but I need the one host to go outbound using a static nat so that the public internet sees the host's public IP as the 1.1.1.10 while the other inside hosts' will be shown as coming from the 1.1.1.1 interface PAT IP. I tried a

 route-map

to force the host's nat that way and it didn't work.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jbankstonps

‎08-25-2022 10:34 AM

hghghghghghgh.pngkkkkkkkkkkkkkkk.pngusing the static NAT I can telnet from R2 to R3 
jjjjjjjj.pngUsing dynamic NAT I can ping from R3 to R2 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎08-25-2022 12:39 PM - last edited on ‎08-26-2022 02:35 AM by Community Manager

Hello

@jbankstonps wrote:

static inside source NAT: 172.16.14.14 NATs to 1.1.1.10 for inbound traffic

Can this be done so host's outbound traffic flow shows coming from 1.1.1.10 instead of the 1.1.1.1 PAT pool?

Deny that inside host from your dynamic pat acl and then create a static nat statement.
Example:


access-list 100 deny host 172.16.14.14 any
access-list 100 permit ip 172.16.14.0 0.0.0.255 any
ip nat inside source-list 100 interface <wan> overload
ip nat inside source static 172.16.14.14 1.1.1.10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
jbankstonps
Level 1
Level 1
In response to paul driver

‎08-25-2022 12:54 PM - last edited on ‎08-26-2022 02:36 AM by Community Manager

with a slight twist...... I had to remove the static nats being used at the port level and then put in one single nat IP to IP, without any extendable port nats

ip nat inside source static tcp 172.16.14.14 25 1.1.1.10 25 extendable

 

and all the other ports nats were replaced with a single

 

ip nat inside source static 172.16.14.14 1.1.1.10

 

and it works now!

very cool, thank you, just some additional feedback as the port nats were part of the complication.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jbankstonps

‎08-25-2022 01:17 PM

it work what, can you ping now from 172.16.14.14 to 8.8.8.8 ? or it work can you access from Out to 172.16.14.14 using port 25 ?
can you elaborate?

0 Helpful
Customers Also Viewed These Support Documents