Apply your static first then apply the NAT pool.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Larsson Sent: Wednesday, January 20, 2010 9:41 AM To: [email protected] Subject: [OSL | CCIE_Security] ip nat source pool conflicts with ip nat source static? I am playing with some basic ios nat and cant get it to work the way I want. On my "inside" I have a client at 10.0.20.100. I want to hide that Ip for outbound traffic. First I do it with a nat pool, like this: interface FastEthernet0 ip address 10.0.13.2 255.255.255.0 ip nat enable interface FastEthernet1 ip address 10.0.20.1 255.255.255.0 ip nat enable ip access-list extended ACL_INSIDE_NAT permit ip 10.0.20.0 0.0.0.255 any ip nat pool MYNATPOOL 10.99.99.99 10.99.99.199 netmask 255.255.255.0 add-route ip nat source list ACL_INSIDE_NAT pool MYNATPOOL All is fine and my client can access an outside web-server, hidden behind an 10.99.99-address (after redistributing statics so that my outside network know about the 10.99.99-network). Then I want o modify it so that everything on 10.0.20.0/24 keeps hidden behind that pool EXCEPT for my host .100. I add this: ip access-list extended ACL_INSIDE_NAT deny ip host 10.0.20.100 any permit ip 10.0.20.0 0.0.0.255 any (Denying traffic from my host to make it NOT being nated with my pool) r3(config)#ip nat source static 10.0.20.100 10.99.98.100 r3(config)# *Jan 20 14:44:13.147: %Non-Static entry already exists 1) Why cant I do that? I cant see that my ip nat source pool conflicts with my ip nat source static. 2) How do I solve this? 3) How do I redistribute knowledge of this 10.99.98-address? I miss the ability to add "add-route" at the end of the ip nat source static line. If I am suppose to solve this with a static route in the config, what should I point nexthop to? Br Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
