3 Replies Latest reply: Jul 1, 2013 6:18 AM by BRAD RSS

    ip nat inside source list

    Alexandr

      Hello, guys.

      I got into a situation that I can't figure out myself.

       

      Let's assume we have a router with two interfaces with 10.10.10.0/24 network behind fa0/0:

      fa0/0 - ip nat inside

      fa0/1 - ip nat outside

       

      We want to do a simple overloaded NAT:

      ip nat inside source list NAT_ACL interface FastEthernet0/1 overload

       

      Let's say I want to give a host 10.10.10.7 permission to ping the outside world and nothing more (ICMP only).

      My first idea was to write a permit rule in the NAT_ACL:

      permit icmp host 10.10.10.7 any

       

      But it doesn't work and I don't udenrstand why. Can someone give me a clue on this?

       

      permit ip host 10.10.10.7 any

      works perfectly fine for both tcp/udp and icmp connections.

        • 1. Re: ip nat inside source list
          Sey

          The NAT_ACL is a so called qualifying access list. It just tells the router what hosts are eligible for natting. You can't use it for filtering. Create another ACL for filtering and apply it to fa0/0 with (config-if)#access-group command.

          • 2. Re: ip nat inside source list
            Alexandr

            Sey,

            Yes, I do understand this. But at the same time I can specify protocol/port and destination address in this qualifying access list. For example:

            permit tcp host 10.10.10.7 12.13.14.15 eq 22

             

            If they making this possible, why don't allow to select ICMP packets for NAT? This seems as a wrong design to me.

             

            I simplified my configuration to work out this problem, but in fact I have three interfaces and multiple GRE tunnels to the partners networks that the host 10.10.10.7 needs to have access to.

             

            In case of creating an incoming access list (ip accss-group acl-name in) on fa0/0 I'll have to explicitly specify all the (partners) networks that this host can access and ICMP to any.

            Is there another workaround?

            • 3. Re: ip nat inside source list
              BRAD

              The optional keyword overload enables port translation for UDP and TCP.