09-16-2014 02:17 AM - edited 03-07-2019 08:46 PM
I am replacing a Linux router with a Cisco device. The Linux device provides NAT services, and I have successfully configured inbound access from public addresses to private addresses. However, the Linux router has IPTables configuration as shown below which I cannot replicate in Cisco:
-A POSTROUTING -s 10.5.10.41/32 -d ! 10.5.0.0/16 -j SNAT --to-source xx.yy.124.161 (sanitised public address)
I translated this as meaning "For packets with a source address of 10.5.10.41 and a destination address outside the range 10.5.0.0/16, then translate the destination address to xx.yy.124.161
On that basis, I created the following configuration
ip access-list extended corenat1
deny ip host 10.5.10.41 10.5.0.0 0.0.255.255
remark denies traffic source 10.5.10.41 dest 10.5.0.0 0.0.255.255
permit ip host 10.5.10.41 any
remark permits traffic source 10.5.10.41 to any
ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252
ip nat inside source list corenat1 pool natpool1
This was intended to identify the traffic to nat (access-list corenat1), then create a nat pool with one address in it, and finally NAT the identified traffic to the new address. It does not work, and I'm not seeing any translations occurring from these commands. The NAT router simply returns "unavailable" when pinging is attepted
Am I doing something wrong, or is this just not possible?
Thanks
Jim
09-16-2014 03:25 AM
Can you see the following configuration :
access-list 101 deny ip host 10.5.10.41 10.5.0.0 0.0.255.255
access-list 101 permit ip host 10.5.10.41 ant
access-list 1 permit ip host 10.5.10.41
ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask 255.255.255.252
ip nat inside source list 1 pool natpool1
interface Fa0/1
ip nat outside
ip access-group 101 out
09-16-2014 04:10 AM
Hi Walter,
Thanks for the interest. Your suggestion will apply the access-group to the interface, and will manage packets going in/out of the interface. My access-list was to direct certain traffic to the NAT-RULES, not the interface, so that there was no permit/deny on the interface, but a selection of traffic to which NAT-ing was applied....is my way of working possible?
09-16-2014 05:19 AM
I think that you can use the access-group in the interface for the traffic input/output and you can use the access-list 1 for the traffic that you want nat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide