- Posts: 17
- Thank you received: 0
NAT- Multiple NAT Pools
- Chicago_Techie
- Topic Author
- Offline
- New Member
Less
More
15 years 9 months ago #29538
by Chicago_Techie
NAT- Multiple NAT Pools was created by Chicago_Techie
I have a scenario I would like to post and validate. I did some research first and hope that I make sense here.
(I read www.firewall.cx/nat-intro.php )
*I want to connect to 2 different Service Providers.
*One is for Internet Connectivity (We'll call this Company "A")
*One is for company to another company connectivity. (Company "Z")
* Can I connect to each company using 2 different NAT Pools on the same router?
*Company "A" I'd like to implement NAT Overload to the Public IP they're providing. (Internet connectivity) I'd like to do this by creating the NAT Pool (and Overload statement) and the ACL with the internal network range I want this NAT Pool to apply to.
*Company "Z" I would like to create a dynamic NAT Pool. Similar concept as above in that I'd create a second Pool (But no overload this time) I'd create a second ACL (Which has the same internal network range as described in company "A"
I would like to route BGP to company "Z" and default static route to company "A". (I understand routing concepts so routing wont be an issue.)
So the goal is to have a user work station connect to Company "A" (meaning the internet) as a public address at the same time the same work station is connecting to company "Z" as a different address. (One that company "Z" would like to see from me.)
I would like to verify this can be done and also that based on the destination address (Company "Z" server OR any address on the internet) that my user hits the proper pool based on the destination address?
I'm very sorry for the long post. I hope this makes sense. All help is greatly appreciated.
Thanks!
(I read www.firewall.cx/nat-intro.php )
*I want to connect to 2 different Service Providers.
*One is for Internet Connectivity (We'll call this Company "A")
*One is for company to another company connectivity. (Company "Z")
* Can I connect to each company using 2 different NAT Pools on the same router?
*Company "A" I'd like to implement NAT Overload to the Public IP they're providing. (Internet connectivity) I'd like to do this by creating the NAT Pool (and Overload statement) and the ACL with the internal network range I want this NAT Pool to apply to.
*Company "Z" I would like to create a dynamic NAT Pool. Similar concept as above in that I'd create a second Pool (But no overload this time) I'd create a second ACL (Which has the same internal network range as described in company "A"
I would like to route BGP to company "Z" and default static route to company "A". (I understand routing concepts so routing wont be an issue.)
So the goal is to have a user work station connect to Company "A" (meaning the internet) as a public address at the same time the same work station is connecting to company "Z" as a different address. (One that company "Z" would like to see from me.)
I would like to verify this can be done and also that based on the destination address (Company "Z" server OR any address on the internet) that my user hits the proper pool based on the destination address?
I'm very sorry for the long post. I hope this makes sense. All help is greatly appreciated.
Thanks!
- Chicago_Techie
- Topic Author
- Offline
- New Member
Less
More
- Posts: 17
- Thank you received: 0
15 years 8 months ago #30084
by Chicago_Techie
Replied by Chicago_Techie on topic Re: NAT- Multiple NAT Pools
So I finally figured out how to Multi home NAT. I thought I'd share. It works and is in production! I'm only posting the relevant parts of the config. (keep in mind that the interfaces need to be configured for NAT inside/outside depending on your situation.)
The IP's in this example are made up.....
Enjoy!
ip nat pool NAT-TO-COMPANYX 10.111.75.72 10.111.75.94 netmask 255.255.255.224
ip nat pool NAT-TO-INTERNET 69.10.7.43 69.10.7.43 netmask 255.255.255.248
ip nat inside source route-map TO-COMPANYX pool NAT-TO-COMPANYX
ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload
route-map TO-INTERNET permit 10
match ip address 102
set ip next-hop 56.33.30.21
!
route-map TO-COMPANYX permit 10
match ip address 101
set ip next-hop 10.3.4.1
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x 0.255.255.255
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 permit ip 192.168.17.0 0.0.0.255 any {permit everything else out towards the internet}
This configuration sets up policy NAT'ing so that you can NAT towards two different sites be it 2 ISP's or 1 ISP and 1 private company ect..
Remember I just plopped in numbers for IP Addresses above. Some may not even fit in the bit boundry listed. I just picked any old numbers.
Hope this is useful for someone.
Remember.....NETWORKING ROCKS!
The IP's in this example are made up.....
Enjoy!
ip nat pool NAT-TO-COMPANYX 10.111.75.72 10.111.75.94 netmask 255.255.255.224
ip nat pool NAT-TO-INTERNET 69.10.7.43 69.10.7.43 netmask 255.255.255.248
ip nat inside source route-map TO-COMPANYX pool NAT-TO-COMPANYX
ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload
route-map TO-INTERNET permit 10
match ip address 102
set ip next-hop 56.33.30.21
!
route-map TO-COMPANYX permit 10
match ip address 101
set ip next-hop 10.3.4.1
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x 0.255.255.255
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 permit ip 192.168.17.0 0.0.0.255 any {permit everything else out towards the internet}
This configuration sets up policy NAT'ing so that you can NAT towards two different sites be it 2 ISP's or 1 ISP and 1 private company ect..
Remember I just plopped in numbers for IP Addresses above. Some may not even fit in the bit boundry listed. I just picked any old numbers.
Hope this is useful for someone.
Remember.....NETWORKING ROCKS!
Time to create page: 0.113 seconds