Solved: Router PAT Configuration

EBSU · ‎09-02-2020

Looking for configuration assistance/advice.

I have a /29 from my ISP that I want to implement on an old Cisco 7204VXR router. The first usable address will be assigned to the router interface on the other side (our ISP) as a gateway. The next usable address will go on my outside interface. I would like use the other addresses, if possible, in a PAT pool for translations. This is what I'm thinking...

x.x.x.72/29

x.x.x.73 Gateway (ISP)
x.x.x.74 Outside Interface (my router)
x.x.x.75 Pool
x.x.x.76 Pool
x.x.x.77 Pool
x.x.x.78 Pool

This configuration will replace a /30 network where everything (3 private subnets) translates to a single IP address.

For this scenario, would I implement an "ip nat pool"?

ip nat pool MyPool x.x.x.74 x.x.x.78 netmask 255.255.255.248

ip nat inside source list Subnet1 pool MyPool overload

ip nat inside source list Subnet2 pool MyPool overload

ip nat inside source list Subnet3 pool MyPool overload

Additional info: The 3 private subnets are configured as subinterfaces on a single physical interface.

Any thoughts?

Giuseppe Larosa · ‎09-02-2020

Hello @EBSU ,

I have two notes:

a) you need to combine the three ACLs in a single ACL or each line ip nat source list ... will override the previous one! NAT is triggered when going from a NAT insite to a NAT outside interface so internal routing should not be affected.

b) if in the future you would like to expose to the internet any internal server you may want to leave two public IP addresses out of the pool.

With two public addresses you can in theory serve 65,535 x 2 different flows at the same time.

so this is something to consider.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎09-02-2020

Hello @EBSU ,

I have two notes:

a) you need to combine the three ACLs in a single ACL or each line ip nat source list ... will override the previous one! NAT is triggered when going from a NAT insite to a NAT outside interface so internal routing should not be affected.

b) if in the future you would like to expose to the internet any internal server you may want to leave two public IP addresses out of the pool.

With two public addresses you can in theory serve 65,535 x 2 different flows at the same time.

so this is something to consider.

Hope to help

Giuseppe

EBSU · ‎09-02-2020

Thanks for the reply! Just for my clarification...

a) Where I have this config...

ip nat pool MyPool x.x.x.74 x.x.x.78 netmask 255.255.255.248

ip nat inside source list Subnet1 pool MyPool overload
ip nat inside source list Subnet2 pool MyPool overload
ip nat inside source list Subnet3 pool MyPool overload

ip access-list standard Subnet1
permit 10.x.0.0 0.0.63.255
ip access-list standard Subnet2
permit 10.y.0.0 0.0.63.255
ip access-list standard Subnet3
permit 10.z.0.0 0.0.63.255

Would become this?

ip nat pool MyPool x.x.x.74 x.x.x.78 netmask 255.255.255.248

ip nat inside source list AllSubnets pool MyPool overload

ip access-list standard AllSubnets
permit 10.x.0.0 0.0.63.255
permit 10.y.0.0 0.0.63.255
permit 10.z.0.0 0.0.63.255

b) Noted. Good idea!

balaji.bandi · ‎09-02-2020

yes this works as per your description :

ip nat pool MyPool x.x.x.74 x.x.x.78 netmask 255.255.255.248

ip nat inside source list AllSubnets pool MyPool overload

ip access-list standard AllSubnets
permit 10.x.0.0 0.0.63.255
permit 10.y.0.0 0.0.63.255
permit 10.z.0.0 0.0.63.255

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

EBSU · ‎09-02-2020

Thank you.