multiple NAT overload statements to same interface

joshuacmoore · ‎03-21-2015

Hello, I have a very fundamental question. Would it be possible or correct to configure a router with multiple overload statements to the same WAN interface? Example:

ip access-list extended NAT1

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended NAT2

permit ip 192.168.1.0 0.0.0.255 any

ip NAT inside source list NAT1 interface fa0/0 overload

ip NAT inside source list NAT2 interface fa0/0 overload

rakeshvelagala · ‎03-21-2015

Why not put those two statements in one access list.

It should work.

joshuacmoore · ‎03-22-2015

I know multiple in one ACL will work but I want to know if multiple statements is OK too.

Jon Marshall · ‎03-22-2015

Yes you can use multiple NAT statements and it will work.

But I would say it doesn't make a lot of sense to do it because you are overloading to the same interface so if I saw that configuration I would wonder why it had been done.

Jon

joshuacmoore · ‎03-23-2015

It's there for granularity and simplicity of config. Say you had two separate ACLs that referenced two physical interfaces designated as "ip nat inside". It's a lot easier to follow two separate overload statements for each inside interface. I've seen similar logic applied with the highly object oriented NAT within the ASA configuration.

Is there ANY known issues with having multiple overload statements like this?

Jon Marshall · ‎03-23-2015

Everybody is different but to me you don't get any more granularity or simplicity you just end up with more acls and NAT statements in your configuration and the simpler the configuration the better as far as I am concerned, especially when troubleshooting.

But that's just my opinion and you think differently.

I haven't used multiple acls and NAT statements as you propose but I can't see how there would be any issues unless you accidentally had an entry in one acl that covered traffic that was meant to be matched by another acl.

Jon