01-11-2008 08:31 AM - edited 03-05-2019 08:25 PM
Hello,
Is it possible to run NAT inside on a sub interface (int f0/0.100) and not run NAT on another subinteface (int f0/0.101)?
01-11-2008 11:30 AM
Hi
Wasn't 100% sure myself so i just labbed it up and yes it works fine. As long as you just apply the "ip nat inside" statement to the subinterface only it will work.
Jon
01-11-2008 11:54 AM
Would it be possible to help me with the config? Maybe a post of a working config? I can't seem to get it to work.
Thanks for the response...
Jesse
01-11-2008 12:00 PM
Jesse
Sounds like it may be more of a NAT config issue that a subinterface one. Here is the basic config i used
interface FastEthernet0/0
ip address 192.168.7.2 255.255.255.252
ip nat outside
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.9.1.1 255.255.255.240
ip nat inside
!
interface FastEthernet0/1.41
encapsulation dot1Q 41
ip address 172.16.8.1 255.255.255.240
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
access-list 101 permit ip host 10.9.1.2 host 192.168.22.2
When you test this could you run
"debug ip nat" - that will show you what is happening with NAT and also
"sh ip nat translations".
Could you also post your config.
Jon
01-11-2008 01:03 PM
Hello,
I will post my config asap. I got called to a custoemer, but will setup this config on my lab router. Thanks for the response.
One question though... The access list, could I just match my interal nat'd subnet and do this to allow all traffic out
"access-list 101 permit ip any any"
jesse
01-11-2008 01:08 PM
Jesse
yes, you can match what you need to in your access-list.
Jon
01-16-2008 04:31 PM
Hello,
I am also having an issue with a VPN group on my PIX. I have an internal IP range of 192.168.0.0 /24 and when users VPN to the PIX they are getting an IP from a pool of 192.168.99.0/24. Clients that VPN can access everything on the internal network of the PIX, but I need them to be able to access network we have outside the PIX, but still on our network. Also, it with the pIX client, users are using the PIX as their gateway to the outside world.
Jesse
01-16-2008 04:33 PM
I meant that user that are VPN to the PIX, that are using Cisco VPN client are NOT using the PIX as theur gateway to the outside world. Internal ip addresses behind the PIX are accessable to the client (192.168.0.xxx), but if I tracert to lets say google.com the tracert goes through my internet connection at home, and not through the network PIX, which is what I need to happen.
Jesse
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide