[c-nsp] NAT on one interface

Michael Malitsky malitsky at netabn.com
Thu Aug 23 12:32:53 EDT 2007 

I am doing this on a 7206VXR/NPE400, the gateway link is a T1 that I
don't expect to saturate.  Given this, should I still worry about
performance?

Bigger question is actually getting it to work.  I've tried following
the suggested kludge, came up with the following:

_______________________________________________________________
interface Loopback2
 description Virtual NAT interface 
 ip address 10.0.224.17 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 ip policy route-map NATpolicy

interface Serial1/0/18:0
 description This is the gateway to external network
 ip address 66.174.183.218 255.255.255.252
 ip nat outside
 ip virtual-reassembly

ip route 166.159.223.192 255.255.255.192 Loopback2
ip route 166.244.16.128 255.255.255.192 Loopback2
ip route 198.224.199.152 255.255.255.248 Loopback2

ip nat inside source static 192.168.12.170 198.224.199.153

ip access-list extended NATpolicyACL
 permit ip 192.168.12.0 0.0.0.255 166.159.223.192 0.0.0.63
 permit ip 192.168.12.0 0.0.0.255 166.244.16.128 0.0.0.63
 permit ip 192.168.12.0 0.0.0.255 66.174.183.216 0.0.0.3

route-map NATpolicy permit 10
 match ip address NATpolicyACL
 set ip next-hop 66.174.183.217
_____________________________________________________________

Doesn't work - route-map shows no hits at all.  Any help appreaciated. 

Thanks,
Michael Malitsky

> Message: 9
> Date: Wed, 22 Aug 2007 16:31:02 -0400
> From: Rodney Dunn <rodunn at cisco.com>
> Subject: Re: [c-nsp] NAT on one interface
> To: Joe Maimon <jmaimon at ttec.com>
> Cc: Michael Malitsky <malitsky at netabn.com>, cisco-nsp at puck.nether.net,
> 	"Church,	Charles" <cchurc05 at harris.com>
> 
> Bad idea because it causes process switching.
> 
> Don't expect high throughput out of it.
> 
> Rodney
> 
> On Wed, Aug 22, 2007 at 03:40:55PM -0400, Joe Maimon wrote:
> > nat on a stick
> > 
> > 
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_
> note09186a0080094430.shtml
> > 
> > Church, Charles wrote:
> > 
> > > Yeah, it's possible to policy route the traffic to a 
> loopback that has
> > > nat inside configured on it, and then out the normal 
> interface.  It's
> > > kludgy, but it'll work, I think.
> > > 
> > > 
> > > Chuck 
> > > 
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Michael Malitsky
> > > Sent: Wednesday, August 22, 2007 3:12 PM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] NAT on one interface
> > > 
> > > Hello,
> > > 
> > > I am trying to figure out if it's possible to configure 
> NAT in IOS on
> > > just one interface.  Specifically, say I need to 
> translate traffic flows
> > > between X.X.X.X and Y.Y.Y.Y.  Y.Y.Y.Y is reachable through one
> > > interface, that's my gateway to the "other" network.  
> However, X.X.X.X
> > > can be reached through multiple interfaces.  Normal NAT 
> configuration
> > > requires me to specify a "nat inside" and a "nat outside" 
> interfaces.  I
> > > can certainly specify the gateway interface to Y.Y.Y.Y as 
> "nat outside",
> > > but I don't want to set a bunch of other interfaces as 
> "nat inside" (nor
> > > do I want to involve them in NAT processing at all).  Is 
> there any other
> > > way?
> > > 
> > > Thanks,
> > > Michael Malitsky

More information about the cisco-nsp mailing list