Solved: How to nat between 2 interfaces

vidalgenel · ‎03-30-2013

Hello all,

I am using a 1941 cisco router and i have to prefom nat between two interfaces.

The first interface will allow only specific vlan and the other will nat all the rest of the network.

How can i acheive that?

Neeraj Arora · ‎04-01-2013

HI Vidal,

As per my understanding you are trying to use NAT for two separate Outside interfaces, probably links by two ISP's

Check this document:

https://supportforums.cisco.com/docs/DOC-8313

It has your scenario explained in terms of Nating. Basically what you need is to implement Policy Based NAT where a route-map will be applied on the "ip nat inside source" command which will match ACL as well as the outgoing interface.

Another useful link for this would be:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

Hope it helps

Neeraj

View solution in original post

Bilal Nawaz · ‎04-01-2013

Hello,

If I understand correctly, you want to NAT based on source from different IP's, to different interfaces? You could do this - as an example:

Your ACL's

!

ip access-list extended ACL_ANY

permit ip any any

!

ip access-list extended ACL_192

permit ip 192.168.30.0 0.0.0.255 any

deny ip any any

!

Your Policy Based Route-Maps

!

route-map PBR permit 10

match ip address ACL_192

set ip next-hop x.x.x.x

!

route-map PBR permit 20

match ip address ACL_ANY

set ip next-hop y.y.y.y

!

(doesnt have to be ip next-hop, can be interface exit point too)

!

Route-maps for your NAT statements

!

route-map NAT_192 permit 10

match ip address ACL_192

match interface XXXX

!

route-map NAT_ANY permit 10

match ip address ACL_ANY

match interface YYYY

!

(Interface will be where the next hop ip will live i.e. exit point)

!

Policy based routing on the inside interface

!

interface LOCAL

ip nat inside

ip policy route-map PBR

!

interface XXXX

ip nat outside

!

interface YYYY

ip nat outside

!

Your NAT statements

ip nat inside source route-map NAT_ANY interface YYYY overload

ip nat inside source route-map NAT_192 interface XXXX overload

I think this will do it...

I hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Reza Sharifi · ‎03-30-2013

Hi,

Follow this link for some config examples:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

HTH

vidalgenel · ‎03-31-2013

My problem is that i have to interfaces that i should nat to the internet, i want to route only one network to 1 interface

and all the other traffic to the other interface how can i do that?

The link you sent me didnt mention this case.

This is what i have configured:

ip nat inside source list MY-NAT-Acl interface Vlan999 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip access-list extended MY-NAT-Acl

permit ip any any

!

access-list 100 permit ip 192.168.30.0 0.0.0.255 host 0.0.0.0

!

route-map Voip-Line permit 10

match ip address 100

set ip next-hop x.x.x.x

set ip next-hop verify-availability

!

Neeraj Arora · ‎04-01-2013

HI Vidal,

As per my understanding you are trying to use NAT for two separate Outside interfaces, probably links by two ISP's

Check this document:

https://supportforums.cisco.com/docs/DOC-8313

It has your scenario explained in terms of Nating. Basically what you need is to implement Policy Based NAT where a route-map will be applied on the "ip nat inside source" command which will match ACL as well as the outgoing interface.

Another useful link for this would be:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

Hope it helps

Neeraj

Bilal Nawaz · ‎04-01-2013

Hello,

If I understand correctly, you want to NAT based on source from different IP's, to different interfaces? You could do this - as an example:

Your ACL's

!

ip access-list extended ACL_ANY

permit ip any any

!

ip access-list extended ACL_192

permit ip 192.168.30.0 0.0.0.255 any

deny ip any any

!

Your Policy Based Route-Maps

!

route-map PBR permit 10

match ip address ACL_192

set ip next-hop x.x.x.x

!

route-map PBR permit 20

match ip address ACL_ANY

set ip next-hop y.y.y.y

!

(doesnt have to be ip next-hop, can be interface exit point too)

!

Route-maps for your NAT statements

!

route-map NAT_192 permit 10

match ip address ACL_192

match interface XXXX

!

route-map NAT_ANY permit 10

match ip address ACL_ANY

match interface YYYY

!

(Interface will be where the next hop ip will live i.e. exit point)

!

Policy based routing on the inside interface

!

interface LOCAL

ip nat inside

ip policy route-map PBR

!

interface XXXX

ip nat outside

!

interface YYYY

ip nat outside

!

Your NAT statements

ip nat inside source route-map NAT_ANY interface YYYY overload

ip nat inside source route-map NAT_192 interface XXXX overload

I think this will do it...

I hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

E31qinhaijun · ‎03-31-2013

hi,

I have met this problem,According to the general situation ,config the nat on the two intfaces.The key is using

Extend ACL to control the packets how to go.