NAT with two outside interfaces

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccie-routing-switching/nat-with-two-outside-interfaces/

Thank you for this awesome post… keep it up!

Thanks Rene !!

Thank you, this site is awesome.

Rene,

Where can i find Route-Map chapter?

Hi bhargavi,

In our lessons, we used route-map with different routing protocols for routing redistribution and/or filtering. I haven’t found a specific chapter explaining specifically about route-map in our website, but you can see how Rene has used it in different routing protocols on the following 2 lessons:

EIGRP Route-map Filtering
OSPF LSA Type 5 Filtering on Cisco IOS

I can refer you also to this article from Cisco website where you can find all information needed about route-map:

Route-map explanation from cisco.com

Hope this can help.

Hi Rene,
NAT inside source Process, the routing is processed first then NAT.
in the example i think we do not need the route Map. because every packet pass through the interface will be translated. the following will work.
please correct me if wrong

NAT(config)#ip nat inside source list 1  int fa 0/1 overload  
NAT(config)#ip nat inside source list 1  int fa 1/0 overload 

Hello Mahmoud!

Your logic makes sense, however, it wouldn’t work as it should. If you insert the second command you have above, the first one will be overwritten. You require a route map in order to determine: which addresses will be NATed, which outside interface these addresses will be routed from and which NAT translation will occur.

For a proper NAT load balancing configuration with optimized edge routing, take a look at this Cisco support document: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/99427-ios-nat-2isp.html

I hope this has been helpful!

Laz

1 Like

Hello Laz,

Yes you are right, but in this way instead of overwritten it will not accept the second statement and the message pop out with
%Dynamic mapping in use, cannot change
Thanks
Waqar

Hello Mohammad

Yes, in the case where you would get such an error message, the proper procedure would be to remove the previous NAT command and replace it. More info can be found here:

I hope this has been helpful!

Laz

Hi Laz,
Yes its clear and thanks for the explanation.

//BR
Waqar

1 Like

Hi there, I have a question what to do if I have subinterfaces (Vlans) on inside site and there is no IP address for physical interface, just the default gateway for each Vlan. Thank you very much for the answer. That picture with subinterfaces (sh ip int brief) is from SoDR1. Thank you for any help :-).
image



Rob

Hello Robert

There is no problem with having no IP address on the physical inside interface. The subinterfaces configured as inside interfaces is what is required. The “inside” configuration of NAT must always be implemented on the interface which acts as the default gateway for that particular subnet, and in this case, it is the subinterfaces. Indeed, NAT wouldn’t work if you had applied it only to the physical interface, so your configuration is correct.

I hope this has been helpful!

Laz

Hi Laz, ok I can ping the other interfaces 10.0.15.1 and 10.0.16.1 from the PCs and loopback also but I do not understand why I can not see translation and statistic tabla of NAT. Thanks

do sh ip nat stat

Robert

Hello Robert

It seems that your pings are just being routed and not being NAT’ed. This is why you don’t see any NAT translations. It is the access lists that are used to identify which traffic will be NAT’ed and which will not. Verify that your access lists are configured correctly and that the correct traffic is indeed being identified as NAT’able.

I hope this has been helpful!

Laz

Hi Laz, I configured like this:

ip access-list extended STD_NAT
permit ip 192.168.10.0 0.0.0.255 any (all Inter Vlans of one site)

route-map SP1 permit 10
match int e1/0
match ip address STD_NAT

route-map SP2 permit 10
match ip address STD_NAT
match int e1/1

ip nat inside source route-map SP1 int e1/0 overload
ip nat inside source route-map SP2 int e1/1 overload

Robert

Hello Robert

The behaviour you describe indicates that routing and not NAT’ing is taking place, which means that traffic to be NAT’ed is not being identified. This has to do with the ACL and the route map that you configured.

At first glance, I don’t see anything wrong with your configuration. However, one thing I would suggest you try is use a standard access list instead of an extended one as some IOS versions don’t seem to like extended ACLs for this purpose. Try that out and let us know.

I hope this has been helpful!

Laz