cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15541
Views
10
Helpful
5
Replies
complexymetron
Beginner

NAT to two outside interfaces with different routes (only 1 ISP)

Hello All,

I've an 1841 router with one nat inside interface and one outside interface. Till last week it was a standard internet access router with a static IP on the outside interface leading to the ISP.

Now my customer (C) needs to access another network of one of his customers (D) via an extra VPN router provided by that customer D. The VPN router only presents 5 usable addresses to the customer (/29) so I need NAT to let everyone on the inside network access that network. For connecting the VPN router to my 1841 I installed an HWIC-1FE extra routed port and connected the VPN router there. Now I have 3 ports on the 1841:

- FE0/0 to internal network

- FE0/1 to ISP network

- FE0/0/0 to VPN router of customer D

I'm able to ping the VPN router. I added the remote networks of the D-customer and was able to ping those as well from the 1841.

But I have to tell the 1841 that he has to do NAT on FE0/0/0 as well. I didn't succeed and I was only able to find solutions to the "two NAT intefaces to two ISP"-problem. I tried to add "ip nat inside source list 7 interface FastEthernet0/0/0 overload", but that replaced the existing one and prohibited internet access.

Could anyone give me a push into the right direction?

This is the configuration of the interfaces (networks ind IPs were replaced):

interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description WAN
ip address 10.0.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
description to VPN Router
ip address 10.2.2.2 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip default-network 192.168.0.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.1.254
ip route 192.168.100.0 255.255.255.0 10.2.2.1 permanent
ip route 160.160.0.0 255.255.0.0 10.2.2.1 permanent
ip route 170.170.0.0 255.255.0.0 10.2.2.1 permanent
ip route 192.168.0.0 255.255.255.0 10.0.1.254
!
!
ip http server
ip dns server
ip nat inside source list 7 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.10 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.0.10 22 interface FastEthernet0/1 22
!
access-list 7 permit 192.168.0.0 0.0.0.255
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any

Added Tags

1 ACCEPTED SOLUTION

Accepted Solutions
Nagendra Kumar Nainar
Cisco Employee

Hi Alex,

Am I assuming right that you need to perform NAT based on outgoing interface?. If yes, Try using route-map to match the source as well the interface,

In your case, 192.168.0.0/24 is the source. So try configuring the below,

access-list 1 permit 192.168.0.0 0.0.0.255

route-map NAT_TO_ISP

match ip address 1

match interface f0/1

route-map NAT_TO_VPN

match ip address 1

match interface f0/0/0

ip nat inside source route-map NAT_TO_ISP interface f0/1 overload

ip nat inside source route-map NAT_TO_VPN interface f0/0/0 overload

Try the same and let us know if it helps.

HTH,

Nagendra

View solution in original post

5 REPLIES 5
Nagendra Kumar Nainar
Cisco Employee

Hi Alex,

Am I assuming right that you need to perform NAT based on outgoing interface?. If yes, Try using route-map to match the source as well the interface,

In your case, 192.168.0.0/24 is the source. So try configuring the below,

access-list 1 permit 192.168.0.0 0.0.0.255

route-map NAT_TO_ISP

match ip address 1

match interface f0/1

route-map NAT_TO_VPN

match ip address 1

match interface f0/0/0

ip nat inside source route-map NAT_TO_ISP interface f0/1 overload

ip nat inside source route-map NAT_TO_VPN interface f0/0/0 overload

Try the same and let us know if it helps.

HTH,

Nagendra

That did it. Works like a charm. Thank you!

The route-map method worked! Thanks!

Talha Ansari
Beginner

I believe that there is one solution but I m not 100% sure. Yet if possible then try this :

I see that you have configured a standard access-list 7 in which you have defined the source of the traffic which you are natting on the internet interface... I would suggest you to remove the standard access-list and create two extended access-list... in one of the access list you permit the source and destination of the networks that is across the VPN router.. and in another access-list you deny the source and destination to the network that is across your VPN router but permit the rest.

Example : Suppose you create a access-list 110 and 111

So your access-list should look like :

access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 160.160.0.0 0.0.255.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 170.170.0.0 0.0.255.255

access-list 110 deny ip any any

access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 160.160.0.0 0.0.255.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 170.170.0.0 0.0.255.255

access-list 111 permit ip any any

ip nat inside source list 111 interface FastEthernet0/1 overload

ip nat inside source list 110 interface FastEthernet0/0/0 overload

What this should do is nat the packets based on source and destination addresses as well.

If possible then try this.... and let us know if this works...

Hi Talha Ansari,

the route-map approach worked, so I didn't try your solution. Thanks for the advice!