Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
126
Views
0
Helpful
3
Replies

Twice NAT on Cisco 9300 switch?

hmc2500
Level 1
Level 1

‎07-17-2024 09:14 PM - edited ‎07-17-2024 09:16 PM

Is it possible to perform twice NAT on a Catalyst 9300 switch?

Our switch is connected to a DMZ (10.10.10.0/24)

The outside interface of the switch is 10.10.10.1

The inside interface of the switch is 192.168.1.1

THe destination (host 192.168.10.5) is on our internal network but several router hops away.

We do not want to route 10.10.10.0/24 internally.  So the internal host 192.168.10.5 will not know how to route back to the DMZ network. 

 

I would like to NAT the outside local and global address to the internal interface of the switch (192.168.1.1) and then to the destination (192.168.10.5) 

 

So basically I would like to NAT as follows (I'm using 10.10.10.2, a host that is connecting from the outside as an example)

Outside local     Outside global     Inside global     Inside local      

10.10.10.2      10.10.10.2           192.168.1.1      192.168.10.5

 

This would be easy on ASA firewall however I do not see a way to do this on a 9300 switch. 

Can this be done on a 9300 switch?

 

 

Labels:
0 Helpful
3 Replies 3

DanielP211
VIP
VIP

‎07-17-2024 10:27 PM

Hello!

On IOS-XE, a single rule cannot accommodate Twice-NAT (to my knowledge). To achieve this, you need to configure dynamic NAT/PAT for one direction and static NAT for the other.

BR

****Kindly rate all useful posts*****
0 Helpful

MHM Cisco World
VIP
VIP

‎07-18-2024 05:42 AM

you need two nat 
ip nat inside source 
ip nat outside source 

this way you get twice NAT like we use in ASA or FW 

MHM

0 Helpful

hmc2500
Level 1
Level 1

‎07-18-2024 12:50 PM - edited ‎07-18-2024 01:01 PM

hmc2500_0-1721330382836.png

I'm having a hard time with this.

THe DMZ network 10.10.10.0/24 is local to the HQ only and is not advertised to any internal branch sites.

We run BGP between the HQ SwitchA, the WAN router and the branch office SwitchB. 

However since the DMZ network is not advertised to the branch office ServerA does not know how to return traffic from the DMZ network.

I had 2 ideas to make this work but no luck so far:

1)  PAT overload on the inside interface 192.168.1.1 of SwitchA. I could be wrong but I don't see any commands that allow me to configure overload on the inside interface.

I only get an option to use pat overload when I use it with ip nat inside source and not ip nat outside source.

ip nat inside source list 1 interface xx overload

hmc2500_1-1721332864094.png

 

2) Use a 3rd subnet (eg 192.168.100.0/24) to NAT inside and outside.

ip nat inside source static 192.168.10.5 192.168.100.5

ip nat outside source static 10.10.10.2 192.168.100.5

Does not work either.

 

Some more ideas would be appreciated.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card