From: Chuah Eng Wee (chuahew@xxxxxxxxxxxxxxx)
Date: Mon Jul 02 2001 - 01:05:54 GMT-3
Hi all,
Below is a sample config we used for testing. Basically, we have an inside
address translating to multiple pool of addresses. THe inside interface is at
e0. E1 is connected to the outside, but ip nat outside command is
not applied at e1. It is applied at the loopback 4
For Internet access - translate to one pool
For Intranet access - don't translate
For traffic to SRC-1 - translate to 90.4.4.10 pool
For traffic to SRC-2 - translate to 90.2.2.10 pool
HTH
Eng Wee
CCIE #5335
interface Loopback4
ip address 7.7.7.7 255.255.255.255
ip nat outside
ip policy route-map TRANSLATE-SRC-IP
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip nat inside
no keepalive
!
interface Ethernet1
ip address 172.24.6.174 255.255.255.252
!
ip nat pool SRC-2-NAT 90.2.2.10 90.2.2.50 netmask 255.255.255.0
ip nat pool SRC-1-NAT 90.4.4.10 90.4.4.50 netmask 255.255.255.0
ip nat pool INTERNET-NAT 61.8.245.125 61.8.245.126 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET-NAT overload
ip nat inside source route-map SRC-1 pool SRC-1-NAT
ip nat inside source route-map SRC-2 pool SRC-2-NAT
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback4
ip route 10.2.2.0 255.255.255.0 Ethernet1
ip route 10.205.2.0 255.255.255.0 172.24.6.173
ip route 90.2.2.0 255.255.255.0 Loopback4 ### force return traffic
back to lo4
ip route 172.24.0.0 255.255.0.0 Ethernet1
ip access-list extended INTERNET-ACL
deny ip any 94.1.1.0 0.0.0.255
deny ip any 95.1.1.0 0.0.0.255
permit ip any any
ip access-list extended SRC-1-ACL
permit ip any 95.1.1.0 0.0.0.255
ip access-list extended SRC-2-ACL
permit ip any 94.1.1.0 0.0.0.255
route-map INTERNET permit 10
match ip address INTERNET-ACL
!
route-map TRANSLATE-SRC-IP permit 10
set ip default next-hop 172.24.6.173
!
route-map CONTROL-MAP permit 10
match ip address CONTROL-ACL
set interface Loopback4
!
route-map SRC-2 permit 10
match ip address SRC-2-ACL
!
route-map SRC-1 permit 10
match ip address SRC-1-ACL
!
At 10:01 AM 6/15/01 -0500, Sam Munzani wrote:
>It sure is a creative way. Even if you don't use it in real environment,
>it's a good brain excercise to put your knowledge to test bed.
>
>Sam
>
> > Darren,
> > I seem to remember someone in the TAC had once come up with a really
> > kludgy way to do this (i.e. you should think of a better design to meet
> > your needs) but it went something like this:
> >
> > - policy routing in junction with the use of loopbacks
> > - ip nat inside on the incoming interface
> > - policy route the traffic to a loopback
> > - ip nat outside on a loopback
> > - policy route the traffic back out the incoming interface. You may need
> > to use a second loopback to do this, I can't recall the exact method or
> > order of events (I had asked for the config but never received it, it
> > might not have worked).
> >
> > Again, I would never suggest anyone ever do this but it is an interesting
> > exercise in "creative" ways you can do things with Cisco routers. Anyone
> > up to the challenge in figuring it out? I'll buy lunch as the prize for
> > the first person that gives me a working solution. Of course, you have to
> > be coming to RTP for the lab in order to collect... ;-)
> >
> > Brian
> >
> >
> >
> > On Fri, 15 Jun 2001, Darren Hosking wrote:
> >
> > > Is it possible to do "NAT on a stick"? In certain circumstances I want
>to
> > > have packets enter a router on the inside interface then have NAT
>applied
> > > and send them back out on the same interface?
> > >
> > > Any suggestions?
> > >
> > > Thanks, Darren
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:28 GMT-3