IOS overlapping NAT

There are not many situations where the ordering of lines in the router configuration really matters (except from inside acl:s or different kind of “maps”). But when dealing with address translations it´s really important because they are processed in the same order as they were added in the running-config.

Lets say that I want to hide my internal network on the outside, behind a pool of addresses I do like this:

ip nat pool MYNATPOOL netmask add-route

ip nat source list ACL_INSIDE_NAT pool MYNATPOOL

ip access-list extended ACL_INSIDE_NAT
permit ip any

But what if I later decides to make an exception to this? My internal host should be translated to Then I add this line:

ip nat source static

If (and only if!) I have any active translations for my inside host when adding this static NAT I will get this warning:

r3(config)#ip nat source static
*Jan 21 14:14:51.999: %Non-Static entry already exists

This can be avoided by clearing all active translation prior to adding this command:

an 21 14:24:01.747: %Non-Static entry already exists
r3#clear ip nat nvi trans *
*Jan 21 14:24:09.091: NAT-NVI: deleting alias for
r3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r3(config)#ip nat source static

Even still, what we did was to configure the translation in the wrong order which will make our inside .100-host still to be translated with the ip nat source list-command since the access-list includes .100 and this command is above the static.

This can be avoided in two ways. Either You clear all active translations, remove both lines and put them back in the proper order:

r3(config)#do clear ip nat nvi trans *
r3(config)#no ip nat source static
r3(config)#no ip nat source list ACL_INSIDE_NAT pool MYNATPOOL
r3(config)#ip nat source static
r3(config)#ip nat source list ACL_INSIDE_NAT pool MYNATPOOL

Another way to solve it is to make the translations non-overlapping by excluding .100 from the ip nat source list:

r3(config)#ip access-list extended ACL_INSIDE_NAT
r3(config-ext-nacl)#5 deny ip host any
r3#sh ip access-list ACL_INSIDE_NAT
Extended IP access list ACL_INSIDE_NAT
5 deny ip host any
10 permit ip any (3 matches)

Posted in Cisco Security


[mc4wp_form id="2457"]
Website Security Test