Policy NAT (aka Conditional NAT) lets you combine NAT and route-maps so that you can create more specific NAT rules. In a route-map, one of the things you can use is access-lists so you can create NAT rules based on anything you can match in an access-list.
To demonstrate this, I’ll use the following topology:
H1 is the host that we’ll source our traffic from. R1 is the NAT router that is connected to two ISPs. Each ISP has a loopback interface that represents a telnet server. We are going to create a NAT rule that translates:
- 192.168.1.101 to 192.168.12.1 when it connects to 188.8.131.52 port 23.
- 192.168.1.101 to 192.168.13.1 when it connects to 184.108.40.206 port 23.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname H1 ! no ip routing ! no ip cef ! interface GigabitEthernet0/1 ip address 192.168.1.101 255.255.255.0 ! ip default-gateway 192.168.1.254 ! end
hostname ISP1 ! ip cef ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 ! interface GigabitEthernet0/1 ip address 192.168.12.2 255.255.255.0 ! end
hostname ISP2 ! ip cef ! interface Loopback0 ip address 18.104.22.168 255.255.255.255 ! interface GigabitEthernet0/1 ip address 192.168.13.3 255.255.255.0 ! end
hostname R1 ! ip cef ! interface GigabitEthernet0/1 ip address 192.168.1.254 255.255.255.0 ! interface GigabitEthernet0/2 ip address 192.168.12.1 255.255.255.0 ! interface GigabitEthernet0/3 ip address 192.168.13.1 255.255.255.0 ! ip route 22.214.171.124 255.255.255.255 192.168.12.2 ip route 126.96.36.199 255.255.255.255 192.168.13.3 ! end
Let’s get started. First, I need to configure the correct NAT inside and outside interfaces:
R1(config)#interface GigabitEthernet 0/1 R1(config)#ip nat inside R1(config)#interface GigabitEthernet 0/2 R1(config-if)#ip nat outside R1(config)#interface GigabitEthernet 0/3 R1(config-if)#ip nat outside
I’ll create two access-lists that match the traffic that I want to translate with NAT:
R1(config)#ip access-list extended ISP1_L0 R1(config-ext-nacl)#permit tcp host 192.168.1.101 host 188.8.131.52 eq 23 R1(config)#ip access-list extended ISP2_L0 R1(config-ext-nacl)#permit tcp host 192.168.1.101 host 184.108.40.206 eq 23
Now I’ll create a route-map and attach the access-lists in two different permit statements: