NAT Question

[dozier]

Currently we use the following overload statement to NAT all inside hosts to the global address of the Fa0/0 interface:

ip nat inside source list 110 interface FastEthernet0/0 overload

This works fine, but I want to do the same thing basically, except that I want the single global address to be something other than the interface address. I've tried creating a pool with one address in it, but I'm getting NAT debug errors when I use it..

Any insight would be appreciated.

 

[UnaBomber]

ip nat inside source list 110 x.x.x.x overload

fa0/0 (inside interface)
ip nat inside

s0/0 (outside interface)
ip nat outside

Where x.x.x.x = your global address

UnaBomber
ccnp mcse2k

 

[dozier]

That doesn't work:

router(config)#ip nat inside source list 110 172.16.250.4 overload
                                             ^
% Invalid input detected at '^' marker.

router(config)#ip nat inside source list 110 ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

router(config)#ip nat inside source list 110

I'm running 12.4.

 

[KiscoKid]

You *should* be able to use a pool with just a single address in it I'd have thought. Not sure why this was not working for you.

Alternatively you may be able to create a loopback interface and assign it the address you want to NAT everything to. Then use the command

ip nat inside source list 110 interface Loopback0 overload

Never tried this myself - let me know how it goes.

 

[dozier]

Yeah, I had thought of the Loopback option, but I haven't tried it yet. Even if it does work one of the issues there will be that you can't NAT to an address that overlaps with a connected network, but otherwise may work.

As far as trying to create the pool with one address, one of the things that I don't understand is the netmask or prefix-length part of that command, i.e.:

ip nat pool test 172.16.250.4 172.16.250.4 netmask 255.255.255.252

It won't allow me to use a host mask (255.255.255.255), which is what I'd think you'd use for a single address, but the smallest it will allow is what I show above.

I'll let you know what I find with the Loopback method.

 

[fartingfrog]

why did u put the 172.16 address twice?

 

[dozier]

That's the command format, you specify a start address and end address for the pool, but I only want that one address in the pool so I use it for the start and end..

 

[fartingfrog]

I rather meant why nat an address different than the fa int?

 

[dozier]

Because the hosts that we talk to on the remote side of the router have host routes for one IP (and not the LAN IP), so I'm trying to figure out how to NAT our sources to that IP so no changes have to be made on the hosts (or firewalls).

 

[dozier]

Alright, I figured it out. For those that are interested:

When defining the following pool:

ip nat pool test 172.16.250.4 172.16.250.4 netmask 255.255.255.252

The router sees 172.16.250.4 as the network address of the NAT network and therefore will not allow it to be used as a NAT. If I use this:

ip nat pool test 172.16.250.2 172.16.250.2 netmask 255.255.255.252

or this:

ip nat pool test 172.16.250.4 172.16.250.4 netmask 255.255.255.248

It works fine.