Mailing List Archive

[nsp] Cisco NAT for only some outside interfaces?
I have a situation which was thrust upon me and I have not got the
time/equipment to test it, so I need the benefit of the collective
experience.

I have to move my network in a piece and stick it behind someone else's
/28. To preserve my network IPs until we get our own connectivity, I'll be
natting on my edge router to the /28 IPs. However, each of my other
offices will have a standard gre tunnel interface to the edge router, and
I intend to route all the 'internal' inter-office traffic over the tunnels.

My question is basically this:

I can appreciate setting the internal interfaces with 'ip nat inside' and
the main outside interface as 'ip nat outside'. However, if I _don't_ put
'ip nat outside' on my tunnel interfaces, will it do what I want and not
NAT any traffic that it sends through the tunnels? If not, how do I make
the traffic going to the tunnels not get translated while everything else
going through the main interface does get translated?
I can see that if I have to do something clever, using route-maps would be
the way to go, but I can't see how you'd say "depending on the
_destination_ IP/interface, don't translate this traffic".



--
John
Re: [nsp] Cisco NAT for only some outside interfaces? [ In reply to ]
John Vaughan wrote:

> However, if I _don't_ put
>'ip nat outside' on my tunnel interfaces, will it do what I want and not
>NAT any traffic that it sends through the tunnels?
>
Yes. You will only be NAT'd going from a nat inside interface to a nat
outside interface, and if you meet the NAT acl. Going to/from an
interface that is not nat inside or outside will not result in NAT'ing.

Beware of CPU load when doing lots of NAT.
RE: [nsp] Cisco NAT for only some outside interfaces? [ In reply to ]
Since the tunnel is on the inside of your network, put a "ip nat inside"
on it. This will let the router know to not use any translation.
Traffic from "inside" to "inside" interfaces aren't touched by NAT.

I also pretty sure just leaving off the "ip nat inside" command will
work, but I haven't tried it to actually be certain.

David

-----Original Message-----
From: John Vaughan [mailto:jvaughan@agency.com]
Sent: Friday, August 02, 2002 11:08 AM
To: cisco-nsp@puck.nether.net
Subject: [nsp] Cisco NAT for only some outside interfaces?




I have a situation which was thrust upon me and I have not got the
time/equipment to test it, so I need the benefit of the collective
experience.

I have to move my network in a piece and stick it behind someone else's
/28. To preserve my network IPs until we get our own connectivity, I'll
be
natting on my edge router to the /28 IPs. However, each of my other
offices will have a standard gre tunnel interface to the edge router,
and
I intend to route all the 'internal' inter-office traffic over the
tunnels.

My question is basically this:

I can appreciate setting the internal interfaces with 'ip nat inside'
and
the main outside interface as 'ip nat outside'. However, if I _don't_
put
'ip nat outside' on my tunnel interfaces, will it do what I want and not

NAT any traffic that it sends through the tunnels? If not, how do I make

the traffic going to the tunnels not get translated while everything
else
going through the main interface does get translated?
I can see that if I have to do something clever, using route-maps would
be
the way to go, but I can't see how you'd say "depending on the
_destination_ IP/interface, don't translate this traffic".



--
John


_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/