Enable SNAT for all outgoing traffic on DMZ Gi0/0/0

getaway51 · ‎06-06-2020

Hi,

I have a situation where I need to enable SNAT for all outgoing traffic on Gi0/0/0.

Wht is the config will looks like?

Can I said tht traffic is only possible one way which is from LAN to DMZ?

Georg Pauwen · ‎06-06-2020

Hello,

SNAT in what context ? What does your topology look like ?

kapydan88 · ‎06-06-2020

Are you talking about Cisco router like isrg1/g2 or isr4000? Can you draw scheme of your network?

getaway51 · ‎06-06-2020

Hi,

For all outgoing traffic going to 172.30.1.0/24 via Gi0/0/0, it's source address will need to be NAT to Gi0/0/0 interface IP.

Destination addr remains unchanged which is 172.30.1.x/24.

Reza Sharifi · ‎06-06-2020

Hi,

Have a look at this document with example of configuring source NAT.

Configuring Static Translation of Inside Source Addresses

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html#GUID-6D3247E9-E78A-426A-8429-9DBB9E7D43A7

HTH

getaway51 · ‎06-06-2020

R1(config)#interface Gi 0/0/1
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#
R1(config)#interface Gi 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit

ip nat inside source static local-ip global-ip

Do I need to specify local-ip global-ip? Can I use int Gi0/0/0 and Fa0/0?

The destination IP addr is 172.30.1.0/24. Whatever traffic like 10.1.1.0/24 going to 172.30.1.0/24 will be SNAT to Gi0/0/0 IP address.

R1(config)#ip nat inside source static 10.1.1.0/24 172.1.1.1

Objective is traffic going to internet will be SNAT to int Gi0/0/2 IP address whilst traffic going to DMZ will be SNAT to int Gi0/0/0 IP address.

Thanks all for advice!!

Georg Pauwen · ‎06-07-2020

Hello,

I don't really understand what you are after to be honest. For the source, these are your options:

Router(config)#ip nat inside source static ?
A.B.C.D Inside local IP address
esp IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol

kapydan88 · ‎06-07-2020

What do you mean by SNAT?

1) NAT, which is implemented on the router for accessing the Internet hosts with private addresses?

2) NAT that is implemented on the asa for access between hosts behind different interfaces or subinterfaces?

paul driver · ‎06-07-2020

Hello

@getaway51 wrote:

Objective is traffic going to internet will be SNAT to int Gi0/0/2 IP address whilst traffic going to DMZ will be SNAT to int Gi0/0/0 IP address.

Thanks all for advice!!

Please review the attached file

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎06-07-2020

Hi,

Firstly, thanks for the config! The reason I am doing the SourceNAT is because DMZ zone(172.30.1.0/24) only has route up to 172.1.1.0/24. Therefore anything behind needs to be SNAT to DMZ interface IP address. Same like the traffic going to Internet.

So ONLY for LAN traffic going to DMZ zone(172.30.1.0/24), all source needs to be NAT to 172.1.1.1.

Is below also correct? Just for DMZ Zone

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

route-map DMZ

match ip address 101

ip nat source route-map DMZ interface Gi0/0/0

getaway51 · ‎06-07-2020

Hi,

Firstly, thanks for the config! The reason I am doing the SourceNAT is because DMZ zone(172.30.1.0/24) only has route up to 172.1.1.0/24. Therefore anything behind needs to be SNAT to DMZ interface IP address. Same like the traffic going to Internet.

So ONLY for LAN traffic going to DMZ zone(172.30.1.0/24), all source needs to be NAT to 172.1.1.1.

Is below also correct? Just for DMZ Zone

Option1

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

route-map DMZ

match ip address 101

ip nat source route-map DMZ interface Gi0/0/0

----------------------OR---------------------------------

Option2

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

ip nat inside source list 101 interface Gi 0/0/0 overload

Are both the same and does it works for my objective?

paul driver · ‎06-07-2020

Hello

Now its much clearer, then I would use the nat route-map as this provides scope for additional change if you wish to do so ( access, prefix-list , matching interfaces etc..)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎06-07-2020

Hi,

You mean both option1 and option2 can work?

I saw in your config, it has match interface gi0/0/0, is this needed or just another match criteria serve the purpose since match ip matches it already? match interface gi0/0/0-Does it mean all traffic outbound from int gi0/0/0 (i.e. going to DMZ zone) or from LAN to DMZ will match?

paul driver · ‎06-07-2020

Hello

The match interface is applicable when you wish to nat towards two differing egress natted interfaces, thus matching on the local subnet via an access/prefix list and the related wan interface.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎06-07-2020

Hi,

Can I do DNAT for traffic from DMZ zone to LAN (i.e port forwarding)?

For example 172.1.1.1:90 going to 10.1.1.1:80.

How the config looks like>?