[c-nsp] NAT question
Barrie Jones Cook
barrie at stevegibbard.com
Wed May 17 13:59:19 EDT 2006
--- Barrie Jones Cook <bleubarrie at yahoo.com> wrote:
> >We have a client needing to NAT outside with one
> pool
> but NAT inside
> >with two pools. Maybe I am analyzing this too hard,
> but I am not
> >making any progress.
> >
> >Anyone else doing this? Is it even possible?
>
> I haven't done this with discontiguous inside
> ranges,
> but I would think you could do it, using an
> access-list such as this (inside a route-map for
> PAT):
>
> ip nat pool GLOBAL-ADDR 192.168.27.242
> 192.168.27.246
> prefix-length 29
> ip nat inside source route-map NAT-LIST pool
> GLOBAL-ADDR overload
>
> route-map NAT-LIST permit 10
> match ip address 100
> !
>
> access-list 100 permit ip 172.16.0.0 0.0.255.255 any
> access-list 100 permit ip 10.1.0.0 0.0.255.255 any
>
> The reason I put the access-list in a route-map is
> because back when I was doing NAT, we had a problem
> with PAT and access-lists--I can't find the link on
> CCO now, but there was a whitepaper back then (2002)
> that described our problem exactly, which had
> something to do with a NAT translation being
> randomly
> set up for a particular inside address, and suddenly
> you couldn't do overloading. You would clear the
> translation, and everything would be fine for a
> while
> until the NAT entry appeared again. I can't remember
> why, but the workaround was just to put the
> access-list in a route-map. Maybe that's not even
> necessary anymore; I don't know.
>
> Anyway, I hope I understood your question. If you
> need other info, here's a NAT overview:
>
>
http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml
>
> --Barrie
>
More information about the cisco-nsp
mailing list