Church, Chuck
2006-04-12 02:16:16 UTC
All,
Setting up a customer today in an odd type of deployment, I found
that trying use contiguous addresses each as a nat overload in a pool
doesn't work, putting a /32 mask on the pool causes IOS to complain (yet
accept it), and you'll get NAT translation errors on some subnets. I
have a 2650 with the serial as the NAT outside, and 4 subints on the
ethernet (dot1q tagged) as NAT inside. The idea is to use one of my 6
routable addresses as a NAT overload for all traffic from the 1st subint
inside, another routable address for the 2nd subint, and so on. Using
loopback interfaces like this seemed to work though:
interface Loopback250
ip address 66.y.z.146 255.255.255.255
!
interface Loopback251
ip address 66.y.z.147 255.255.255.255
!
interface Loopback252
ip address 66.y.z.148 255.255.255.255
!
interface Loopback253
ip address 66.y.z.149 255.255.255.255
!
ip nat inside source list C-C interface Loopback251 overload
ip nat inside source list C-S interface Loopback252 overload
ip nat inside source list G-O interface Loopback250 overload
ip nat inside source list Rest interface Loopback253 overload
Those access-lists cover the source addresses of the 4 separate customer
subnets. Idea was to keep each customer's traffic identifiable to
internet hosts (so an RIAA subpoena can be directed to the right
customer, for instance). My question is, this configuration doesn't
seem to be covered by the documentation, but seems to work well. Can
anyone elaborate on why NAT pools can't be /32 (even if the start and
end addresses are the same), and if what I did might end up causing
headaches down the road?
Thanks, and sorry about the long post,
Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services
Enterprise Network Engineering
Home Office - 864-335-9473
Cell - 864-266-3978
***@netcogov.com
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Setting up a customer today in an odd type of deployment, I found
that trying use contiguous addresses each as a nat overload in a pool
doesn't work, putting a /32 mask on the pool causes IOS to complain (yet
accept it), and you'll get NAT translation errors on some subnets. I
have a 2650 with the serial as the NAT outside, and 4 subints on the
ethernet (dot1q tagged) as NAT inside. The idea is to use one of my 6
routable addresses as a NAT overload for all traffic from the 1st subint
inside, another routable address for the 2nd subint, and so on. Using
loopback interfaces like this seemed to work though:
interface Loopback250
ip address 66.y.z.146 255.255.255.255
!
interface Loopback251
ip address 66.y.z.147 255.255.255.255
!
interface Loopback252
ip address 66.y.z.148 255.255.255.255
!
interface Loopback253
ip address 66.y.z.149 255.255.255.255
!
ip nat inside source list C-C interface Loopback251 overload
ip nat inside source list C-S interface Loopback252 overload
ip nat inside source list G-O interface Loopback250 overload
ip nat inside source list Rest interface Loopback253 overload
Those access-lists cover the source addresses of the 4 separate customer
subnets. Idea was to keep each customer's traffic identifiable to
internet hosts (so an RIAA subpoena can be directed to the right
customer, for instance). My question is, this configuration doesn't
seem to be covered by the documentation, but seems to work well. Can
anyone elaborate on why NAT pools can't be /32 (even if the start and
end addresses are the same), and if what I did might end up causing
headaches down the road?
Thanks, and sorry about the long post,
Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services
Enterprise Network Engineering
Home Office - 864-335-9473
Cell - 864-266-3978
***@netcogov.com
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/