NAT on vlans???

Assume I have a router with an ethernet port connected to a switch. The switch has several vlans and the router has the appropriate configurations to match.

If I wanted to set up a form of NAT on on the interface connected to the switch, would I configure it on the ethernet interface, or the sub interfaces?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

lordy

Never done this, but I guess it would only make sense on the subinterfaces as the main interface is just a trunk.

Regards,
Lordy

johnnynodough

excellent question!

I dunno. But I would like to find out as well.

Noods

Im going to assume you can do it on either interface, with the advantage of being able to utilie NAT on a particular vlan. Is there any functional difference? I dont have the equipment or the time to test it. Ill post on the Cisco site and let you guys know.

access01(config)#int ethernet 0.1
access01(config-subif)#ip ?
Interface IP configuration subcommands:
  access-group        Specify access control for packets
  accounting          Enable IP accounting on this interface
  address             Set the IP address of an interface
  authentication      authentication subcommands
  bandwidth-percent   Set EIGRP bandwidth limit
  bgp                 BGP interface commands
  broadcast-address   Set the broadcast address of an interface
  cef                 Cisco Express Fowarding interface commands
  cgmp                Enable/disable CGMP
  dhcp                Configure DHCP parameters for this interface
  directed-broadcast  Enable forwarding of directed broadcasts
  dvmrp               DVMRP interface commands
  flow                NetFlow related commands
  hello-interval      Configures IP-EIGRP hello interval
  helper-address      Specify a destination address for UDP broadcasts
  hold-time           Configures IP-EIGRP hold time
  idle-group          Specify interesting packets for idle-timer
  igmp                IGMP interface commands
  information-reply   Enable sending ICMP Information Reply messages
  irdp                ICMP Router Discovery Protocol
  load-sharing        Style of load sharing
  local-proxy-arp     Enable local-proxy ARP
  mask-reply          Enable sending ICMP Mask Reply messages
  mrm                 Configure IP Multicast Routing Monitor tester
  mroute-cache        Enable switching cache for incoming multicast packets
  mtu                 Set IP Maximum Transmission Unit
  multicast           IP multicast interface commands
  nat                 NAT interface commands
  next-hop-self       Configures IP-EIGRP next-hop-self
  nhrp                NHRP interface subcommands
  ospf                OSPF interface commands
  pim                 PIM interface commands
  policy              Enable policy routing
  proxy-arp           Enable proxy ARP
  rarp-server         Enable RARP server for static arp entries
  redirects           Enable sending ICMP Redirect messages
  rgmp                Enable/disable RGMP
  rip                 Router Information Protocol
  route-cache         Enable fast-switching cache for outgoing packets
  rsvp                RSVP Interface Commands
  sap                 Session Announcement Protocol interface commands
  security            DDN IP Security Option
  split-horizon       Perform split horizon
  summary-address     Perform address summarization
  tcp                 TCP header compression and other parameters
  unnumbered          Enable IP processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  urd                 Configure URL Rendezvousing
  verify              Enable per packet validation
  vrf                 VPN Routing/Forwarding parameters on the interface
  wccp                WCCP interface commands

access01(config-subif)#

Drakonblayde

You know, that's actually a pretty damned good question. I can't see why it wouldn't work, I'll test it out later today if we get some free time (I've already got a lab setup to practive various BCMSN configs, so pretty easy to go router on a stick and toss in an ACL)

garv221

It depends on your hardware...There a some pretty smart devices out there...I have a router moving packets from an ATM, then a smart 4000 series Blade switch handling static routes. Thats done by VLANs & NAT Pools. Then each physical connection is trunked.

keenon

actually it can be done on the regular interface as well

(config-if)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
accounting Enable IP accounting on this interface
address Set the IP address of an interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limit
bgp BGP interface commands
broadcast-address Set the broadcast address of an interface
cef Cisco Express Fowarding interface commands
cgmp Enable/disable CGMP
dhcp Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
igmp IGMP interface commands
irdp ICMP Router Discovery Protocol
load-sharing Style of load sharing
mask-reply Enable sending ICMP Mask Reply messages
mobile Mobile IP support
mrm Configure IP Multicast Routing Monitor tester
mroute-cache Enable switching cache for incoming multicast packets
mtu Set IP Maximum Transmission Unit
multicast IP multicast interface commands
nat NAT interface commands
nbar Network-Based Application Recognition
nhrp NHRP interface subcommands
ospf OSPF interface commands
pgm PGM Reliable Transport Protocol
pim PIM interface commands
policy Enable policy routing
probe Enable HP Probe support
proxy-arp Enable proxy ARP
rarp-server Enable RARP server for static arp entries
redirects Enable sending ICMP Redirect messages
rgmp Enable/disable RGMP
rip Router Information Protocol
route-cache Enable fast-switching cache for outgoing packets
router IP router interface commands
rsvp RSVP interface commands
rtp RTP parameters

tunerX

You would configure nat on the interface that needs translation. It can pretty much be any interface that supports IP. If you can do the IP command then you should be able to also do the nat inside our nat outside commands.

dissolved

I've done NAT with VLANs.
Basically, you use NAT on the physical interface. You then do the access list for each network you want "natted."

Take my network for example. It is double NAT. I had an internal host I wanted externally accessible (very bad security practice, but I had to practice NAT

).

outside-public IP (68.x.x.x)
gateway router
e1-192.168.1.0 0.0.0.3
|
|
outside-192.168.1.0 0.0.0.3
fwall
inside-192.168.2.0 0.0.0.3
|
|
e0-192.168.2.0 0.0.0.3
internal router (inter-vlan routing for vlan 1,2,3)
e1-192.168.3.0
|
|
8mb 2924xl (3 vlans)
|
|
mail server (192.168.4.2)

internal router Config:
int e0/0
ip nat outside

int e1/0
ip nat inside

Then add your permit nat statements:
access-list 1 permit 192.168.3.0 0.0.0.255(vlan 1)
access-list 1 permit 192.168.4.0 0.0.0.255(vlan 2)
access-list 1 permit 192.168.5.0 0.0.0.255 (vlan 3)

I also have static PAT statements so tcp 25 traffic on my internal router so external traffic can reach it on the inside. It's not as hard as it seems. You just point to the router that knows about your VLANs. It will take care of the rest as long as the VLAN'd host can get out.

Sorry for rambling