3 Replies Latest reply: Jul 1, 2013 6:18 AM by BRAD RSS

    ip nat inside source list


      Hello, guys.

      I got into a situation that I can't figure out myself.


      Let's assume we have a router with two interfaces with network behind fa0/0:

      fa0/0 - ip nat inside

      fa0/1 - ip nat outside


      We want to do a simple overloaded NAT:

      ip nat inside source list NAT_ACL interface FastEthernet0/1 overload


      Let's say I want to give a host permission to ping the outside world and nothing more (ICMP only).

      My first idea was to write a permit rule in the NAT_ACL:

      permit icmp host any


      But it doesn't work and I don't udenrstand why. Can someone give me a clue on this?


      permit ip host any

      works perfectly fine for both tcp/udp and icmp connections.

        • 1. Re: ip nat inside source list

          The NAT_ACL is a so called qualifying access list. It just tells the router what hosts are eligible for natting. You can't use it for filtering. Create another ACL for filtering and apply it to fa0/0 with (config-if)#access-group command.

          • 2. Re: ip nat inside source list


            Yes, I do understand this. But at the same time I can specify protocol/port and destination address in this qualifying access list. For example:

            permit tcp host eq 22


            If they making this possible, why don't allow to select ICMP packets for NAT? This seems as a wrong design to me.


            I simplified my configuration to work out this problem, but in fact I have three interfaces and multiple GRE tunnels to the partners networks that the host needs to have access to.


            In case of creating an incoming access list (ip accss-group acl-name in) on fa0/0 I'll have to explicitly specify all the (partners) networks that this host can access and ICMP to any.

            Is there another workaround?

            • 3. Re: ip nat inside source list

              The optional keyword overload enables port translation for UDP and TCP.