- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2023 09:21 AM - edited 03-25-2023 11:53 PM
Hi on the IOS XE I have this config
interface Vlan100
ip address 1.1.1.2 255.255.255.248 secondary
ip address 1.1.1.1 255.255.255.248
ip nat outside
interface Vlan200
ip address 192.168.100.1 255.255.255.0
ip nat inside
interface Vlan300
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip nat pool rm_nat_vlan100-secondary 1.1.1.2 1.1.1.2 prefix-length 29
ip nat inside source route-map rm_nat_vlan100-main interface Vlan100 overload
ip nat inside source route-map rm_nat_vlan100-secondary pool rm_nat_vlan100-secondary overload
route-map rm_nat_vlan100-main permit 10
match ip address NAT-vlan200
match interface Vlan100
route-map rm_nat_vlan100-secondary permit 10
match ip address NAT-vlan300
match interface Vlan100
ip access-list extended NAT-vlan200
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended NAT-vlan300
permit ip 192.168.200.0 0.0.0.255 any
Maybe somebody know how can I repeat it on a sdwan config?
Solved! Go to Solution.
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 12:29 AM
Hi,
conditional NAT is not supported for DIA (direct internet access) NAT.
Even, you can not have pool and interface NAT for the same underlay (VPN0) interface.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2023 10:14 PM
Nobody know?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2023 02:48 PM
Hi,
could you explain a bit what do you want to archive exactly?
If it is DIA NAT, then for the same interface pool and interface NAT is not supported:
Restrictions for NAT DIA
A NAT mapping can have an interface overload, an interface DIA pool, or an interface loopback. Multiple NAT mappings cannot exist for the same interface.
If it is service side NAT, you may have only pool configuration:
Restrictions for Service-Side NAT
Only NAT pool translations are supported.
Try to create 2 pools it if is service side NAT (although I didn't get wat is VLAN 100 interface, is it underlay?).
Please rate and mark as an accepted solution if you have found any of the information provided useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2023 05:19 PM
Hello, thanks for answering, vlan 100 it's underlay, on the legacy environment we send our traffic through different outside ip addresses (we get from isp public network /29, and use two ip of it for nat).
Above is an example of how we do it
And now I think how can I do the same config when edge is managed by sdwan

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 12:29 AM
Hi,
conditional NAT is not supported for DIA (direct internet access) NAT.
Even, you can not have pool and interface NAT for the same underlay (VPN0) interface.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2023 07:18 AM
Guy, I hope this topic is still alive. I have the same issue and got confused. The task sounds like this: provide a dedicated public IP address to some server (let's imagine that it's a oVPN node). The design is: cEdge (C8300) router , the cable from the ISP is plugged directly to the interface gi0/0/0 and the ISP gives us a /29 subnet. We took one IP for the VPN0 as a NAT DIA and also have several service VPNs and the server is in one of them. The aim is providing 1to1 (as it was in legacy style) NAT. This is all. And now I will get annoying, so sorry for my French in advance, because in legacy style networks I could do this just spending around 5 minutes and only 1 device like Mikrotik for 50$ or a Cisco Router with IOS onboard, whatever, but now after buying the newest SD-WAN appliance for thousands bucks I can't solve the simplest daily task and only one thing that I can get from Cisco is "sorry it isn't supported" wtf. Maybe It's my bad and I don't know how to configure it , but please if anyone knows the secret please share this secret knowledge. Notice that we don't consider more complex schemas like with 2 cEdges and TLOC-Ext and NAT DIA trackers etc. Let's try to solve it with the simple config.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2023 01:59 PM
Hi,
you can have NAT overload to interface and static 1:1 NAT from interface. It is supported.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2023 08:01 PM
Yes, it is not flexible and does not have as many features as legacy now.
For me it's shame I can't use it because I need to go some clients via secondary public IP (PAT). Cisco sdwan can't do it now
By the way, which version vManage do you use?
I have vManage 20.9.2.1 and there is option static nat with ability using source vpn
For example, I have interface in the vpn 0:
Gi0/0/0
des WAN
ip address 1.1.1.1 255.255.255.248
and I can make nat 1to1 for 192.168.100.254 via 1.1.1.2 for service vpn10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2023 02:34 PM
hmm, could you share a guide please? Afaik you can't use the secondary IP from NAT (public) interface for the NAT 1:1, right? I mean we configured 1 public IP fro the /29 pool on the interface gi0/0/0 (PAT) for instance , how can we use another IP from the /29 pool? Should we configure in as a secondary first or ? It will be great if you have an instruction. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2023 10:33 PM
Hi,
no need to configure secondary IP if the IP from the same subnet. Just configure 1:1 NAT.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2023 06:08 AM
do you want to say that I can mark any free address from the ISP pool where I took the IP for VPN0 from and it will start working automatically ? Do you have an example of the config or link for any docs which prof it ? Will be great if it's true.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2023 07:27 AM
I answered you with an example, have you tried?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2023 05:11 AM
will try in a lab, thanks !
