05-11-2020 07:12 PM
NAT Exemption Question...?
We have a network connected to a partner company and we NAT IP Addresses from our network to there's using Cisco Routers. I now have a requirement to allow a single IP address through the same port as the NATTed traffic without NATTing it. (We do not have overlapping IP ranges on this specific IP Address)
I have researched this a lot and found route-maps and ACLs appear to be the way to do this
Can anyone provide an appropriate solution or recommendation to exempt a single IP address through a NATTed port (Outside to Inside) without effected the existing traffic and set up?
Thanks Mark
Solved! Go to Solution.
05-13-2020 03:30 AM - edited 05-13-2020 03:36 AM
Hello Mark
@Hoggm wrote:
Hi Paul
Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted
The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router
As long as there is a valid host route towards that internal host then you dont really need to do anything else for connection from any outside host to connect to that internal host, So are you sure you dont have any other accces list or security policy negating this access?
As for the internal host, If you wish for it not to be Natted when it wants to reach externally then just negate that host from the existing nat access-list
example:
ip nat inside source list NAT interface xxx
ip access-list extended NAT
deny ip host X.X.X.Y any
permit ip X.X.X..0 0.0.0.255 any
05-11-2020 11:15 PM
Hello,
not sure what you are after exactly, but a simple outside to inside NAT exemption would be as below:
access-list 1 deny host x.x.x.x
access-list 1 permit any
!
ip nat outside source list 1 pool IPPOOL
05-12-2020 04:03 PM
Hi Georg
Thanks for the response - I'll test this out and will report back
Cheers
Mark
05-12-2020 04:34 AM - edited 05-12-2020 04:45 AM
Hello
The idea about nat is that you conserve public routable ip addressing hidden behind nonpublic routable ones, So the question first must be is this host address applicable not to be natted and if so does the destination subnet have a route back toward this internal host address.
05-12-2020 04:10 PM
Hi Paul
Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted
The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router
Regards
Mark
05-13-2020 03:30 AM - edited 05-13-2020 03:36 AM
Hello Mark
@Hoggm wrote:
Hi Paul
Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted
The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router
As long as there is a valid host route towards that internal host then you dont really need to do anything else for connection from any outside host to connect to that internal host, So are you sure you dont have any other accces list or security policy negating this access?
As for the internal host, If you wish for it not to be Natted when it wants to reach externally then just negate that host from the existing nat access-list
example:
ip nat inside source list NAT interface xxx
ip access-list extended NAT
deny ip host X.X.X.Y any
permit ip X.X.X..0 0.0.0.255 any
05-22-2020 03:46 AM
Thanks Paul
This fixed my issues
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide