04-13-2014 12:17 AM - edited 03-07-2019 07:04 PM
Hi Everyone
Currently studying CCNA. I'm attempting to NAT any machine on an internal interface to an IP address on the wan interface
There are machines which connect via fast 0/0, and both Eth 1/0 sub interfaces.
Fast 0/1 connects to the internet via 172.25.0.254/24. I'd like to NAT everything from the internal interfaces(2,3,4) to 172.25.0.2 when they attempt to access the internet. I do not want them to NAT when they access other machines on the networks(which are locally connected to this router(2621XM))
The issue at the moment is that the internet router doesn't have a route back for the networks it doesn't have entries for. While writing routes back does fix the problem, I'd like to try it this way too(as a learning exercise)
Does that make sense?
TIA!
Solved! Go to Solution.
04-14-2014 10:35 AM
Yes it does make sense.
1) on fa0/1 you need to add -
ip nat outside
2) on the other interfaces -
ip nat inside
3) create your acl -
access-list 101 permit ip 172.26.0.0 0.0.0.255 any
access-list 101 permit ip 172.26.18.0 0.0.0.255 any
access-list 101 permit ip 172.26.19.0 0.0.0.255 any
4) then add a NAT pool -
ip nat pool <name> 172.25.0.2 172.25.02 netmask 255.255.255.252
5) add a NAT statement to tie it altogether -
ip nat inside source list 101 pool <name> overload
the above should allow you to ping between the subnets and only translate the IPs to the pool IP if you are routed to the outside interface.
Note if you find that you cannot ping between subnets then you can modify the acl above to deny traffic between subnets before the permit statements.
However you shouldn't need to do this.
Jon
04-14-2014 10:35 AM
Yes it does make sense.
1) on fa0/1 you need to add -
ip nat outside
2) on the other interfaces -
ip nat inside
3) create your acl -
access-list 101 permit ip 172.26.0.0 0.0.0.255 any
access-list 101 permit ip 172.26.18.0 0.0.0.255 any
access-list 101 permit ip 172.26.19.0 0.0.0.255 any
4) then add a NAT pool -
ip nat pool <name> 172.25.0.2 172.25.02 netmask 255.255.255.252
5) add a NAT statement to tie it altogether -
ip nat inside source list 101 pool <name> overload
the above should allow you to ping between the subnets and only translate the IPs to the pool IP if you are routed to the outside interface.
Note if you find that you cannot ping between subnets then you can modify the acl above to deny traffic between subnets before the permit statements.
However you shouldn't need to do this.
Jon
04-17-2014 04:13 PM
That worked perfectly, thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: