Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
5
Replies

NAT deny not working ( No nat)

krishnakumar.raghunathan
Level 1
Level 1

‎07-04-2021 10:24 PM

interface FastEthernet0/0
ip address 10.1.10.1 255.255.0.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.3.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat pool internet 10.1.50.50 10.1.50.50 netmask 255.255.0.0
ip nat inside source list 2 pool internet overload
ip classless
!
ip flow-export version 9
!
!
access-list2 deny 10.3.3.10 0.0.0.0
access-list 2 permit 10.3.3.0 0.0.255.255

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎07-05-2021 12:43 AM

Hello

Are you saying host 10.3.3.10 ist still being NATT'ed, Also I dont see the wan interface having 10.1.50.x assinged to it so does it reside with your router and is it routable?

 

sh ip nat translations *
sh ip int brief
sh ip route


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

krishnakumar.raghunathan
Level 1
Level 1
In response to paul driver

‎07-05-2021 04:22 AM

sorry ip nat would be 10.1.10.1 which is wan interface.

want to exclude one address 

 

first question is will this work ?

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to krishnakumar.raghunathan

‎07-05-2021 06:06 AM

You looking to No NAT for IP 10.3.3.10  - should as below.

 

access-list 2 deny ip 10.3.3.10

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎07-05-2021 09:09 AM

The original poster asks if this should work. I believe that if correctly configured that it should work and the single host should not be translated but other hosts in that subnet should be translated.

@paul driver asks about the address used for the nat pool. Since FA0/0 is configured as 10.1.10.1/16 then the nat pool of 10.1.50.50 is in the subnet of the outside interface. So yes it is routable.

@balaji.bandi suggests an alternative syntax for the deny statement. I would think that either syntax should work. the mask of 0.0.0.0 is specifying a host address and is equivalent to the statement with no mask specified. Note that the access list needs the second statement which permits the subnet.

I notice one detail in the partial config in the original post

access-list2 deny 10.3.3.10 0.0.0.0

is missing a space between list and 2. If this is something that was used for cut and paste to create the running config then the access list in running config would not have the deny and would have only the permit. Perhaps the output of show access-list would clarify what is in running config.

HTH

Rick
0 Helpful

paul driver
VIP
VIP
In response to krishnakumar.raghunathan

‎07-05-2021 12:37 PM

Hello

yes the deny ace in the access-list should work

now that you’ve confirmed the wan address is viable as a /16 subnet 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card