cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2660
Views
0
Helpful
16
Replies

Enable SNAT for all outgoing traffic on DMZ Gi0/0/0

getaway51
Level 2
Level 2

Hi,

 

I have a situation where I need to enable SNAT for all outgoing traffic on Gi0/0/0.

Wht is the config will looks like?

Can I said tht traffic is only possible one way which is from LAN to DMZ? 

 

16 Replies 16

Hello,

 

SNAT in what context ? What does your topology look like ?

kapydan88
Level 4
Level 4

Are you talking about Cisco router like isrg1/g2 or isr4000? Can you draw scheme of your network?

Hi,

 

For all outgoing traffic going to 172.30.1.0/24 via Gi0/0/0, it's source address will need to be NAT to Gi0/0/0 interface IP.

Destination addr remains unchanged which is 172.30.1.x/24.

 

  

Hi,

Have a look at this document with example of configuring source NAT.

 

Configuring Static Translation of Inside Source Addresses

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html#GUID-6D3247E9-E78A-426A-8429-9DBB9E7D43A7

HTH

nat.JPG

R1(config)#interface Gi 0/0/1
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#
R1(config)#interface Gi 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit

ip nat inside source static local-ip global-ip

Do I need to specify local-ip global-ip? Can I use int Gi0/0/0 and Fa0/0?

The destination IP addr is 172.30.1.0/24. Whatever traffic like 10.1.1.0/24  going to 172.30.1.0/24 will be SNAT to Gi0/0/0 IP address.

R1(config)#ip nat inside source static 10.1.1.0/24 172.1.1.1

 Objective is traffic going to internet will be SNAT to int Gi0/0/2 IP address whilst traffic going to DMZ will be SNAT to int Gi0/0/0 IP address.

Thanks all for advice!!

 

Hello,

 

I don't really understand what you are after to be honest. For the source, these are your options:

 

Router(config)#ip nat inside source static ?
A.B.C.D Inside local IP address
esp IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol

What do you mean by SNAT?

 

1) NAT, which is implemented on the router for accessing the Internet hosts with private addresses?

2) NAT that is implemented on the asa for access between hosts behind different interfaces or subinterfaces?

Hello


@getaway51 wrote:

 Objective is traffic going to internet will be SNAT to int Gi0/0/2 IP address whilst traffic going to DMZ will be SNAT to int Gi0/0/0 IP address.

Thanks all for advice!!


Please review the attached file


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

Firstly, thanks for the config! The reason I am doing the SourceNAT is because DMZ zone(172.30.1.0/24) only has route up to 172.1.1.0/24. Therefore anything behind needs to be SNAT to DMZ interface IP address. Same like the traffic going to Internet.

So ONLY for LAN traffic going to DMZ zone(172.30.1.0/24), all source needs to be NAT to 172.1.1.1.

Is below also correct? Just for DMZ Zone

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

route-map DMZ

match ip address 101

ip nat source route-map DMZ interface Gi0/0/0

 

Hi,

 

Firstly, thanks for the config! The reason I am doing the SourceNAT is because DMZ zone(172.30.1.0/24) only has route up to 172.1.1.0/24. Therefore anything behind needs to be SNAT to DMZ interface IP address. Same like the traffic going to Internet.

So ONLY for LAN traffic going to DMZ zone(172.30.1.0/24), all source needs to be NAT to 172.1.1.1.

 

Is below also correct? Just for DMZ Zone

Option1

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

route-map DMZ

match ip address 101

ip nat source route-map DMZ interface Gi0/0/0

----------------------OR---------------------------------

Option2 

access-list 101 permit 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 101 permit 10.5.1.0 0.0.0.255 172.30.1.0 0.0.0.255

ip nat inside source list 101 interface Gi 0/0/0 overload

 

Are both the same and does it works for my objective?

Hello

Now its much clearer, then I would use the nat  route-map as this provides scope for additional change if you wish to do so ( access, prefix-list , matching interfaces etc..)  


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

You mean both option1 and option2 can work?

I saw in your config, it has match interface gi0/0/0, is this needed or just another match criteria serve the purpose since match ip matches it already? match interface gi0/0/0-Does it mean all traffic outbound from int gi0/0/0 (i.e. going to DMZ zone) or from LAN to DMZ will match? 

 

Hello

The match interface is applicable when you wish to nat towards two differing egress natted interfaces, thus matching on the local subnet via an access/prefix list and the related wan interface.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

Can I do DNAT for traffic from DMZ zone to LAN (i.e port forwarding)? 

For example 172.1.1.1:90 going to 10.1.1.1:80. 

How the config looks like>?

Review Cisco Networking for a $25 gift card