08-19-2015 12:05 AM - edited 03-08-2019 01:25 AM
Hi Guys,
Just wondering if that's possible to perform the following NAT but only for specific destinations
ip access-list extended 150 permit 10.0.0.0 0.255.255.255 host 8.8.8.8
ip access-list extended 150 permit 10.0.0.0 0.255.255.255 host 9.9.9.9
ip nat pool src-nat-pool-1 10.254.252.1 10.254.252.254 netmask 255.255.255.0
ip nat inside source list 150 pool src-nat-pool-1 overload
Will this work?
Thanks.
08-19-2015 04:10 AM
Hello
If you're looking to only translate internal IPs when communicating to a particular set of outside IP then the ACL will work, if you configure it like this:
access-list 150 permit ip 10.0.0.0 0.255.255.255 host 8.8.8.8
access-list 150 permit ip 10.0.0.0 0.255.255.255 host 9.9.9.9
So the ACL above matches all IP traffic from 10.0.0.0/8 to 8.8.8.8/32 or 9.9.9.9/32. Traffic not matching these access-list entries will not be subjected to network address translation.
With your definition of a NAT pool, if you use the keyword overload, then the internal source IPs from the 10.0.0.0/8 range will start to all be translated to the first available IP in the pool of global addresses (in your case 10.254.252.1), so it's not one-to-one mapping between inside local and inside global addresses.
So for example if you issue show ip nat tranlations:
Pro Inside global Inside local Outside local Outside global
icmp 10.254.252.1:1024 10.0.0.1:0 8.8.8.8:0 8.8.8.8:1024
icmp 10.254.252.1:1025 10.0.0.1:1 9.9.9.9:1 9.9.9.9:1025
icmp 10.254.252.1:1026 10.0.0.2:2 9.9.9.9:2 9.9.9.9:1026
Otherwise I believe your configuration will achieve what you want - to translate addresses only for a certain destination IP.
Best regards,
Martin
08-19-2015 04:44 AM
Hi Martin,
Many thanks for your reply.
Are you sure that there will be always used the first one in the pool for PAT? What's the point of having another 253 ones ( I am not talking about huge network where 65000 sessions is not enough)?
I was under impression it will use the random available one from the pool and overload it .
Thanks.
08-19-2015 05:22 AM
Hello
The Cisco IOS will not by default perform round-robin address translation by cycling through the NAT pool. When you overload M inside local address to N inside global addresses, the IOS will start with the first available address from the NAT pool and only move to the next one when the requested IP and port combination is not available. You will notice that most of the addresses are translated to the first one in the pool, less to the second one and even less to the third one.
For more information have a look at the algorithm (PAT with Multiple IP Addresses): http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html#q18
Best regards,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide