Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
3
Replies

NAT out one interface but not the other with IOS?

cmorledge
Level 1
Level 1

‎02-28-2012 06:14 PM - edited ‎03-07-2019 05:14 AM

I originally posted this in the "Firewalls" section, but it was suggested that I take this issue to the "Routing" section.....

I am trying to figure out how to use a Cisco 1841 IOS router to take traffic from one interface and source NAT it out towards the Internet on one interface and at the same time NOT perform NAT when sending the traffic towards a different routed interface.   Something like this:

RemoteSite(an extension to Main Campus)

|

|

Fa0/1

|

Cisco1841 --- Fa0/0/0-------------------Public Internet (NAT all outbound traffic from "Remote Site",

|                                                                        no need to NAT from Main Campus)

Fa0/0

|

MainCampus

Here the RemoteSite has connectivity back to the MainCampus, but there is no need to NAT traffic from the one site to the other.   They share the same umbrella of address space.   However, the RemoteSite needs to have its Internet-bound traffic NAT'ed out to the Public Internet via a third interface. 

I know that I could just NAT everything out from the Remote Site and map the traffic back onto the same address space for intra-campus communication, but I'd rather avoid that and just NAT where I need to NAT it to the Internet.

I do have a caveat here:   in the event that either the MainCampus or the Public Internet interfaces go down, I would like to failover traffic from the downed link to other good link.  For example, I want to NAT all traffic (including "intra-campus" traffic) out via the Public Internet if the direct link to the MainCampus is down.  For the other example, if the Public Internet direct link is down, I would just send out all traffic without NAT towards the MainCampus.

Any ideas?

Thank you.

Clarke Morledge

College of William and Mary

Labels:
0 Helpful
3 Replies 3

Latchum Naidu
VIP Alumni
VIP Alumni

‎02-29-2012 02:08 AM

Hi Clarke,

What I understand is, you have remote and hub site communication over internet may be vpn tunnel.
so when remote site accessing hub site that no need to be NAT and rest of all should NAT.
is that what you are looking for?

Please rate all the helpfull posts.
Regards,
Naidu.

0 Helpful

cmorledge
Level 1
Level 1
In response to Latchum Naidu

‎02-29-2012 05:45 AM

Naidu,

With respect to the NAT, it really does not matter what the link is between the main campus and remote site.  It could be a GRE/VPN tunnel across the Internet or it could be a separate physical link, as it is in my case.  In my case, I am also hoping to leverage the two separate links for failover/backup purposes; i.e. if one goes down, traffic will use the other link. But the point is that I want to NAT traffic from one interface going out the Internet interface but NOT NAT traffic going from the respective "one interface" out the third, main campus interface.   This rule should hold true regardless of the active/inactive status of the links.

Most configuration examples I find on the Cisco website show NAT from multiple inside interfaces to a single outside interface, which isn't exactly the scenario I am describing.

Clarke

0 Helpful

cmorledge
Level 1
Level 1
In response to cmorledge

‎04-10-2012 11:00 AM

To answer my own posting, just for the sake of closure, the answer is simply to NOT put an "ip nat" statement on the "Main Campus" interface configuration.    Even thought "ip nat inside" is configured on the inside interface, it will not do NAT going out an interface which is not configured to do "ip nat outside".

Not the most intuitive way to do this, but it appears to be working correctly for me.

Clarke

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card