11-10-2011 12:56 AM - edited 03-04-2019 02:13 PM
Hello,
I have a problem with configuring policy NAT on a Cisco router which has only one public IP address.
This IP address is used in a static NAT to allow the LAN firewall to connect to the internet.
This works okay.
Now the IP address 9.9.9.9 needs to connect to the real IP 198.10.20.1, so it must not be natted.
I have tried to accomplish this with a route-map but it doesn’t work.
Is there another way to make sure that these connection are not natted?
interface FastEthernet0/0
ip address 198.10.20.1 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 198.10.20.2
ip nat inside source static 192.168.1.10 198.10.20.1 route-map policy-nat
!
ip access-list standard no-nat
deny 9.9.9.9
permit any
!
route-map policy-nat permit 10
match ip address no-nat
Solved! Go to Solution.
11-11-2011 04:57 AM
Hi,
That was giving me the same thought.
Please rate the helpfull posts.
Regards,
Naidu.
11-10-2011 01:30 AM
Hi,
9.9.9.9 is a public IP so it should enter your router on the public side, no ? So it would never be natted anyway.
Can you provide a diagram or sketch to help understand what you want to do because this is not clear.
Regards.
Alain
11-10-2011 02:03 AM
Hi Alian,
Correct 9.9.9.9 is connected to the public side. (inbound)
Static natting works in both ways.
I am using GNS to test this, the IP's used are not real
I do not want to NAT when I connect from 9.9.9.9, from all other IP's the NAT should be used.
I am testing from R1 (8.8.8.8) en from R2 (9.9.9.9) in both occations IP 198.10.20.1 is natted to 192.168.1.10.
Somehow the deny statement in the ACL is not taken into account, in both occations the permit is hitted.
Before test:
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 198.10.20.1 192.168.1.10 --- ---
R3#
After test:
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 198.10.20.1:23 192.168.1.10:23 8.8.8.8:13990 8.8.8.8:13990
tcp 198.10.20.1:23 192.168.1.10:23 9.9.9.9:55750 9.9.9.9:55750
--- 198.10.20.1 192.168.1.10 --- ---
R3#sh access-li
Standard IP access list no-nat
10 deny 9.9.9.9
20 permit any (2 matches)
11-10-2011 02:31 AM
Hi,
I don't understand exactly what you want to do. You did a static nat on R3 so you can access a machine in the 192.168.1.0 network from outside even if you have no route for this network? To simulate someone accessing an inside ressource from the internet?
But you don't want this external ip to access this inside subnet ?
Alain
11-10-2011 03:03 AM
Hi Alain,
The configured static is in used for outbound & inbound connections to
192.168.1.10.
Routing is in place:
R3#sh ip route
....
Gateway of last resort is 198.10.20.2 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 198.10.20.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 198.10.20.2
When the source is 9.9.9.9 I need to connect to the real IP
198.10.20.1, and NOT the NAT IP 192.168.1.10.
All other connections should use the nat but that is working fine.
11-10-2011 02:32 AM
Hi sravesteijn, can you change the access-list statement like below;
ip access-list extended no-nat
deny ip any host 9.9.9.9
permit ip any any
Hope this helps
Ali TADIR
11-10-2011 02:50 AM
Hi Altadir,
I have done what you suggested but it didn´t help.
Thanks for looking into this.
11-10-2011 05:02 AM
Hi,
You need to deny 9.9.9.9 in your global NAT pool.
So that whenever 9.9.9.9 is trying to connect 198.10.20.1 then it wont get NAT and can be access.
Hope this will help you.
Please rate the helpfull posts.
Regards,
Naidu.
11-10-2011 05:27 AM
Hi Naidu,
Can you please explain how I can configure this?
11-10-2011 05:34 AM
Hi,
I may not be able to give you the exact configuration which suites you but see the below example config at one of my site.
ip nat pool nonat 206.206.206.5 206.206.206.5 netmask 255.255.255.0
ip nat inside source route-map nonat pool nonat mapping-id 1 overload
ip access-list extended NONAT
deny ip 10.24.2.0 0.0.0.255 9.9.9.2 0.0.0.255
route-map nonat permit 10
match ip address NONAT
Please rate the helpfull posts.
Regards,
Naidu.
11-11-2011 02:16 AM
Hi Naidu,
I configured it like you suggested but it only works partially which is not good enough.
Outbound natting works ok (192.168.1.10 is translated to 198.10.20.1)
Inbound connections from 9.9.9.9 to
198.10.20.1 works ok, these connections are not translated
However other inbound connections from like 8.8.8.8 are translated to 198.10.20.1
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 198.10.20.1:23 198.10.20.1:23 8.8.8.8:21082 8.8.8.8:21082
interface FastEthernet0/0
ip address 198.10.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 198.10.20.2
!
ip nat pool nonat 198.10.20.1 198.10.20.1 netmask 255.255.255.252
ip nat inside source route-map nonat pool nonat
!
ip access-list extended NONAT
deny ip host 198.10.20.1 host 9.9.9.9 log
permit ip any any log
!
!
route-map nonat permit 10
match ip address NONAT
Do you have any other suggestions?
11-11-2011 02:26 AM
Hi,
Why you need to worry about the outside local and outside global.
Those can be anything like...If you are accessing your nated IP from anywhere in the world that gateway/IP would be your outside global and local.
And let me know whether you achieved what you desired or still have any issues or trouble. If yes let me know what you want achieve exactly.
Please rate the helpfull posts.
Regards,
Naidu.
11-11-2011 02:50 AM
Hi Naidu,
Outbound connections form 192.168.1.10 are translated to 198.10.20.1 when it connects to the internet, this works ok.
Inbound connections from IP 9.9.9.9 should connect to 198.10.20.1 without being forwarded to 192.168.1.10, this works ok.
All other inbound connections to 198.10.20.1 should be forwarded to 192.168.1.10, that is not working.
And that is an requirement.
Thanks for your help!
.
11-11-2011 03:00 AM
Hi,
Then keep only below nat statement and dont change your global NAT and pool (NONAT) which I suggested in my previous post.
ip nat inside source static 192.168.1.10 198.10.20.1
Please rate the helpfull posts.
Regards,
Naidu.
11-11-2011 03:27 AM
Hi,
I have already tried that but that doesn't solve my problem.
The static NAT will than take precedence over the other NAT config.
And all connections are being fwd to the inside IP 192.168.1.10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide