Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
3
Replies

dynamic nat for specific destinations only

glebpe185
Level 1
Level 1

‎08-19-2015 12:05 AM - edited ‎03-08-2019 01:25 AM

Hi Guys,

 

Just wondering if that's possible to perform the following NAT but only for specific destinations

 

ip access-list extended 150 permit 10.0.0.0 0.255.255.255 host 8.8.8.8

ip access-list extended 150 permit 10.0.0.0 0.255.255.255 host 9.9.9.9

 

ip nat pool src-nat-pool-1 10.254.252.1 10.254.252.254 netmask 255.255.255.0

ip nat inside source list 150 pool src-nat-pool-1 overload

 

 

Will this work?

 

Thanks.

 

 

Labels:
0 Helpful
3 Replies 3

Martin Hruby
Level 1
Level 1

‎08-19-2015 04:10 AM

Hello

If you're looking to only translate internal IPs when communicating to a particular set of outside IP then the ACL will work, if you configure it like this:

access-list 150 permit ip 10.0.0.0 0.255.255.255 host 8.8.8.8
access-list 150 permit ip 10.0.0.0 0.255.255.255 host 9.9.9.9

So the ACL above matches all IP traffic from 10.0.0.0/8 to 8.8.8.8/32 or 9.9.9.9/32. Traffic not matching these access-list entries will not be subjected to network address translation.

With your definition of a NAT pool, if you use the keyword overload, then the internal source IPs from the 10.0.0.0/8 range will start to all be translated to the first available IP in the pool of global addresses (in your case 10.254.252.1), so it's not one-to-one mapping between inside local and inside global addresses.

So for example if you issue show ip nat tranlations:

Pro Inside global      Inside local       Outside local      Outside global
icmp 10.254.252.1:1024 10.0.0.1:0        8.8.8.8:0          8.8.8.8:1024
icmp 10.254.252.1:1025 10.0.0.1:1        9.9.9.9:1          9.9.9.9:1025
icmp 10.254.252.1:1026 10.0.0.2:2        9.9.9.9:2          9.9.9.9:1026

Otherwise I believe your configuration will achieve what you want - to translate addresses only for a certain destination IP.

Best regards,
Martin

0 Helpful

glebpe185
Level 1
Level 1
In response to Martin Hruby

‎08-19-2015 04:44 AM

Hi Martin,

Many thanks for your reply.

Are you sure that there will be always used the first one in the pool for PAT? What's the point of having another 253 ones ( I am not talking about huge network where 65000 sessions is not enough)?

I was under impression it will use the random available one from the pool and overload it .

Thanks.

 

 

0 Helpful

Martin Hruby
Level 1
Level 1
In response to glebpe185

‎08-19-2015 05:22 AM

Hello

The Cisco IOS will not by default perform round-robin address translation by cycling through the NAT pool. When you overload M inside local address to N inside global addresses, the IOS will start with the first available address from the NAT pool and only move to the next one when the requested IP and port combination is not available. You will notice that most of the addresses are translated to the first one in the pool, less to the second one and even less to the third one.

For more information have a look at the algorithm (PAT with Multiple IP Addresses): http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html#q18

Best regards,
Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card