Link to home
Start Free TrialLog in
Avatar of rgmckenz
rgmckenz

asked on

How do you allow some addresses behind a Cisco NAT interface through without translation, while others are translated?

I have a Cisco 1750 router (soon to be a Cisco 2611) that is separating the networks of two corporate entities.  The Ethernet interface connects to a VLAN on one corporate network (10.1.1.0 255.255.255.224) and the Serial interface connects via T1 to another series of corporate networks (192.168.10.0 255.255.255.0).  The Ethernet interface has an IP address of 10.1.1.1 and the Serial interface has an IP of 192.168.10.1.  I am running NAT on the router, with the Ethernet as the Outside interface and the Serial as the Inside interface.  I overload the Ethernet interface with an ACL permitting access by hosts on the internal networks through the interface.  I also have a few static NATs to certain host printers on the inside networks that are assigned IP addresses in the 10.1.1.2 - 10.1.1.10 range.

The problem:  I need to allow a few host computers on the network directly connect to the Outside Ethernet interface to pass through the interface untranslated - no NAT at all.  The hosts should be able to see everything as if NAT wasn't there.  I'm sure that I need to use an extended ACL to get this done, but I'm unsure of the specific statements.  Anyone care to give this one a shot?  It would be much appreciated!
Avatar of HeavyWaterLTD
HeavyWaterLTD

please paste your config
Avatar of rgmckenz

ASKER

OK, here's the config - watered down to the important stuff.  This does not include any statements, such as an extended ACL, to get the hosts (IP address 10.1.1.20, 10.1.1.21 and 10.1.1.22) through the FastEthernet0 interface untranslated.  I need them to see servers on the 192.168.1.0 and 192.168.2.0 networks, as well as some other devices on some other subnets.  Most other machines on the Outside should be translated through the NAT, but just not these three.  Hope this helps to explain things a little bit better.  Thanks!

hostname ROUTER1
!
ip subnet-zero
no ip domain-lookup
no ip http server
!
interface Serial0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 cdp enable
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.224
 ip nat outside
 cdp enable
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0
 network 10.0.0.0
 network 192.168.10.0
 distribute-list 3 out static
 no auto-summary
!
ip nat inside source list 50 interface FastEthernet0 overload
ip nat inside source static 192.168.1.10 10.1.1.4
ip nat inside source static 192.168.1.11 10.1.1.5
ip nat inside source static 192.168.1.12 10.1.1.6
ip nat inside source static 192.168.1.13 10.1.1.7
ip nat inside source static 192.168.1.14 10.1.1.8
ip nat inside source static 192.168.1.15 10.1.1.9
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
ip route 10.2.1.0 255.255.255.0 10.1.1.30
ip route 10.3.1.0 255.255.255.0 10.1.1.30
!
no ip http server
!
access-list 3 permit 10.2.1.0 0.0.0.255
access-list 3 permit 10.3.1.0 0.0.0.255
!
access-list 50 permit 192.168.10.0 0.0.0.255
access-list 50 permit 192.168.9.0 0.0.0.255
access-list 50 permit 192.168.1.0 0.0.0.255
access-list 50 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.4.0 0.0.0.255
!
end
ASKER CERTIFIED SOLUTION
Avatar of HeavyWaterLTD
HeavyWaterLTD

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the quick response.  Would the same hold true for devices on the Outside, such as a device at address 10.1.1.20?  Would I need a deny with those addresses, and if so, would they work with the same NAT statement and access list?  Do I need an ip nat outside statement covering those addresses?
NAT works only in this direction

inside -> outside

and the access-list will above will look at source addresses coming from "inside" only.

there is no such thing as NAT from outside interface to the inside....
You should have the other end guy create the same exceptions as you on his router so that you get the traffic un-natted. On the device, you could have the nat either way but only one way at a time.

inside to outside OR outside to inside.

Cheers,
Rajesh
Thank for the assistance.  HeavyWaterLTD, your deny statements would work fine, but I modified them a bit.  I'm now using an extended ACL and referencing specific hosts on the Outside network.  They now pass right around the NAT untranslated.  My 10.1.1.20, 21 and 22 hosts can get to my other interior networks.  I'm posting my updated, working config below.  Thanks once again for the ultra-quick response!

hostname ROUTER1
!
ip subnet-zero
no ip domain-lookup
no ip http server
!
interface Serial0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 cdp enable
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.224
 ip nat outside
 cdp enable
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0
 network 10.0.0.0
 network 192.168.10.0
 distribute-list 3 out static
 no auto-summary
!
ip nat inside source list 150 interface FastEthernet0 overload
ip nat inside source static 192.168.1.10 10.1.1.4
ip nat inside source static 192.168.1.11 10.1.1.5
ip nat inside source static 192.168.1.12 10.1.1.6
ip nat inside source static 192.168.1.13 10.1.1.7
ip nat inside source static 192.168.1.14 10.1.1.8
ip nat inside source static 192.168.1.15 10.1.1.9
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
ip route 10.2.1.0 255.255.255.0 10.1.1.30
ip route 10.3.1.0 255.255.255.0 10.1.1.30
!
no ip http server
!
access-list 3 permit 10.2.1.0 0.0.0.255
access-list 3 permit 10.3.1.0 0.0.0.255
!
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.20
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.21
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.22
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 192.168.9.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip 192.168.4.0 0.0.0.255 any
!
end