NAT based on destination

Discussion in 'Cisco' started by Sorin Platon, Sep 13, 2004.

  1. Sorin Platon

    Sorin Platon Guest

    Hello

    I'm trying to configure my router to do nat based on destination.
    The destination is one host 1.1.1.1 (real Ip address of the host)

    2.2.2.2 (destination ip adress of my clients )

    My clients connect trough interface vlan 3
    The destination is vlan 21

    my config is as is:

    ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252 type rotary
    ip nat inside destination list 99 pool NAT

    acl 99
    permit 2.2.2.2

    vlan 3
    ip nat in


    vlan 21
    ip nat out


    this should be read as:
    "
    when nat interface inside see frames where the destinantion matches ACL 99
    and the traffic is going out the ip nat out interface then translate to COROUTE pool
    "

    Am I missing someting or is something wrong in my NAT configuration ?
    the 1.1.1.1 network is directly connected to my vlan interface.

    NAt comes before or after the routing decision ?

    Regards
    Sorin Platon, Sep 13, 2004
    #1
    1. Advertising

  2. Sorin Platon

    Hansang Bae Guest

    In article <>,
    says...
    > Hello
    >
    > I'm trying to configure my router to do nat based on destination.
    > The destination is one host 1.1.1.1 (real Ip address of the host)
    >
    > 2.2.2.2 (destination ip adress of my clients )
    >
    > My clients connect trough interface vlan 3
    > The destination is vlan 21
    >
    > my config is as is:
    >
    > ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252 type rotary
    > ip nat inside destination list 99 pool NAT
    >
    > acl 99
    > permit 2.2.2.2
    >
    > vlan 3
    > ip nat in
    >
    >
    > vlan 21
    > ip nat out
    >
    >
    > this should be read as:
    > "
    > when nat interface inside see frames where the destinantion matches ACL 99
    > and the traffic is going out the ip nat out interface then translate to COROUTE pool
    > "
    >
    > Am I missing someting or is something wrong in my NAT configuration ?
    > the 1.1.1.1 network is directly connected to my vlan interface.
    >
    > NAt comes before or after the routing decision ?



    If you want to change the destination IP address going from inside to
    outside, you want to use the "ip nat outside" syntax. Goto Cisco and
    look for "nat order of operation:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
    0080133ddd.shtml

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Sep 14, 2004
    #2
    1. Advertising

  3. Sorin Platon

    AnyBody43 Guest

    (Sorin Platon) wrote
    > I'm trying to configure my router to do nat based on destination.
    > The destination is one host 1.1.1.1 (real Ip address of the host)
    >
    > 2.2.2.2 (destination ip adress of my clients )
    >
    > My clients connect trough interface vlan 3
    > The destination is vlan 21
    >
    > my config is as is:
    >
    > ip nat pool NAT 1.1.1.1 1.1.1.1 netmask 255.255.255.252 type rotary
    > ip nat inside destination list 99 pool NAT
    >
    > acl 99
    > permit 2.2.2.2
    >
    > vlan 3
    > ip nat in
    >
    >
    > vlan 21
    > ip nat out
    >
    >
    > this should be read as:
    > "
    > when nat interface inside see frames where the destinantion matches ACL 99
    > and the traffic is going out the ip nat out interface then translate to COROUTE pool
    > "
    >
    > Am I missing someting or is something wrong in my NAT configuration ?
    > the 1.1.1.1 network is directly connected to my vlan interface.
    >
    > NAt comes before or after the routing decision ?
    >
    > Regards


    I do not know what "type rotary" is however the rest looks not bad
    with the critical exception that you are using a
    "Standard" access-list which matches SOURCE addresses. All
    standard access lists match source addresses.

    You need an Extended access-list

    access-list 99 permit ip any host 2.2.2.2

    As to the before or after question, the most essential document
    on CCO can be found by searching on [ nat order of operation ].
    Lists order of operation for routing, ACLs, NAT, Crypto .....

    Also note that it is possible to do tricks with nat using
    policy routing and loopback interfaces. e.g make the loopback
    interface a NAT Inside interface and use policy routing to
    send the traffic to it. Or don't make the loopback interface
    a NAT interface and use policy routing to send the traffic to it.
    AnyBody43, Sep 14, 2004
    #3
  4. In article <>,
    AnyBody43 <> wrote:
    :I do not know what "type rotary" is however the rest looks not bad
    :with the critical exception that you are using a
    :"Standard" access-list which matches SOURCE addresses. All
    :standard access lists match source addresses.

    :You need an Extended access-list

    :access-list 99 permit ip any host 2.2.2.2

    99 is part of the standard access list range (1-99, 1201-1999).

    You need 100-199 or 2000-2699 for an extended access list.
    --
    "Meme" is self-referential; memes exist if and only if the "meme" meme
    exists. "Meme" is thus logically a meta-meme; but until the existance
    of meta-memes is more widely recognized, "meta-meme" is not a meme.
    -- A Child's Garden Of Memes
    Walter Roberson, Sep 14, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shinhyuk
    Replies:
    5
    Views:
    9,048
    ishi_us
    May 22, 2009
  2. Replies:
    1
    Views:
    5,682
    mcaissie
    Aug 31, 2006
  3. 1388-2/HB
    Replies:
    0
    Views:
    765
    1388-2/HB
    Feb 22, 2007
  4. tomasek
    Replies:
    1
    Views:
    4,568
    Greeley
    Dec 16, 2007
  5. groorj

    NAT based on destination IP

    groorj, Aug 4, 2009, in forum: Cisco
    Replies:
    1
    Views:
    774
    groorj
    Aug 4, 2009
Loading...

Share This Page