if you only have 2 router interfaces, and on one you divide by using subinterfaces, can you NAT from one sub interface to another? They would all be tagged with 802.1Q vlan tags. assume 192.168.x.x IPs to be real, 10.x.x.x are private.

class C 192.168.0.0 /27

Something like this perhaps?:

!

interface Ethernet0/0

description connection to upstream ISP

ip address 192.168.102.98 255.255.255.252

no ip mroute-cache

full-duplex

!

!

interface Ethernet0/1

no ip address

no ip mroute-cache

full-duplex

!

interface Ethernet0/1.1

description STATIC ASSIGNMENTs to Customers on this vlan 192.168.0.1 - .30

encapsulation dot1Q 2

ip address 192.168.0.1 255.255.255.224

no snmp trap link-status

!

interface Ethernet0/1.2

description Natted /27 subnet outside addresses this would be a NATPOOL encompassing all 30 addresses in this range

encapsulation dot1Q 3

ip address 192.168.0.33 255.255.255.224

ip nat outside

no snmp trap link-status

!

interface Ethernet0/1.3

description INSIDE address ranges to be natted

encapsulation dot1Q 4

ip address 10.10.10.1 255.255.255.0

ip nat inside

no snmp trap link-status

!

interface Ethernet0/1.4

encapsulation dot1Q 5

ip address 10.12.12.1 255.255.255.0

ip nat inside

no snmp trap link-status

!

interface Ethernet0/1.5

encapsulation dot1Q 6

ip address 10.15.15.1 255.255.255.0

ip nat inside

no snmp trap link-status

ip default-gateway 192.168.102.97

ip nat pool VLAN3NATPOOL 192.168.0.34 192.168.0.62 netmask 255.255.255.224

! This would only use 192.168.0.33 for all internal addresses, correct?

ip nat inside source list 20 interface Ethernet0/1.2 overload

! Would this be the correct, in order to use the entire range of IP's?

ip nat inside source list 40 pool VLAN3NATPOOL overload

ip nat inside source list 50 interface Ethernet0/1.2 overload

access-list 20 permit 10.10.10.0 0.0.0.255

access-list 40 permit 10.12.12.0 0.0.0.255

access-list 50 permit 10.15.15.0 0.0.0.255

Thanks!