Translating Some Addresses Statically and Others Dynamically

Translating Some Addresses Statically and Others Dynamically

Problem

You want certain hosts to have static address translation properties and all others to use dynamic translation.

Solution

In some cases you might need to use a combination of the two approaches. Some internal devices will always translate to specific external addresses, but others will use a dynamic pool. This is often the case when you have a few internal servers that need to be accessed from outside of the network, but other devices that will only make outbound connections:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0
Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#ip nat inside source list 15 pool NATPOOL overload
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#end
Router#

Discussion

In this recipe, we have the same pool of dynamic addresses as in Recipe 21.2, combined with the same two static translations from Recipe 21.3. It is often useful to combine NAT techniques like this, particularly when you use the connection between these networks for several different applications. Some applications might need to work with well-known IP addresses, while others could work well from a dynamic pool.

The access-list in this example specifically excludes the two addresses that will use static rather than dynamic NAT. This is not strictly necessary because the static NAT commands appear to have precedence over dynamic NAT in the router. However, this is still a good practice because it is absolutely clear to anybody looking at the router configuration what you intended to do.

The other important thing to notice in this example is that we have explicitly removed the static NAT addresses from the dynamic NAT pool. The dynamic pool is from 172.16.1.100 to 172.16.1.150, and the static addresses are 172.16.1.10 and 172.16.1.11. This is critically important because the dynamic NAT allocation does not check each address in the pool to make sure that is not configured for static NAT translation. So you could get serious address conflicts if you do not explicitly separate the static from the dynamic NAT addresses.

See Also