Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

NAT/ACL Any with network exclussion

gregg95062
Level 1
Level 1

‎08-10-2018 04:03 PM - edited ‎03-08-2019 03:52 PM

What I'm trying to accomplish is NAT all internal traffic to the internet via overloading but exclude the NAT operation from a specific source network.  Stripped down config from CSR-1000v below.  This config is NATing all traffic from the 10.30.63.0/24 networks to the internet. Works Great. When an in bound requests is received from the an internal gateway 172.31.7.25 with a destination of 10.30.63.X the response is NAT'd to the outside interface Ip which is expected. What we want to accomplish is DO NOT NAT'd any traffic sourced from 172.31.7.0/24 but NAT everything else. I pretty sure this is possible but I can't seem to get it working. Any ideas would be appreciated.

 

interface Tunnel0
ip address 10.100.30.1 255.255.255.252
ip nat inside
!
interface GigabitEthernet1
description EIP 54.183.116.199 BIND 172.31.1.100
ip address dhcp
ip nat outside


ip nat translation tcp-timeout 900
ip nat translation syn-timeout 300


ip nat inside source list 103 interface GigabitEthernet1 overload
access-list 103 permit ip 10.30.64.0 0.0.0.255 any

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎08-10-2018 11:37 PM

Hello

I have interpreted that 172.31.7.25 is sitting behind 10.30.64/0 correct?

 

access-list 103 deny ip host 172.31.7.25 any

access-list 103 permit ip 10.30.64.0 0.0.0.255 any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

gregg95062
Level 1
Level 1
In response to paul driver

‎08-12-2018 07:25 PM

Paul,

 

Thanks for your reply is much appreciated.  The topology for this case is below. The Cisco device is a CSR-1000v which resides in AWS. Once the NAT ACL is applied "access-list 103 permit ip 10.30.63.0 0.0.0.255 any" all traffic forwards to the internet. This work as expected. When traffic is sourced from 172.31.7.25 to a host 10.30.63.1 on the overload network the return/response packet is always stamped with the source IP of the CSR 172.31.3.100. Even when we apply the the deny ACL. What we are trying to accomplish is having the CSR ignore by no NATing traffic from 172.31.7.25 so the response received from the 10.30.63.0/24 is not NAT'd.  Hope this helps as this one has me stumped.

 

-Gregg

 

source_nat.jpg

 

0 Helpful

gregg95062
Level 1
Level 1
In response to gregg95062

‎08-16-2018 05:44 PM

Still looking for some assistance on this one if anyone can help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card