Level: Professional
 
In complex network architextures, admins sometimes have to trick the components into unusual configurations in order to achieve their goals. NAT is well known. Policy NAT much less so.
 
One note before we proceed: Policy NAT unfortunately is only supported by few Layer 3 Switches. No Problem on a Cisco 650X with SUP720, of course.
See: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
 
In this example, source addresses in Vlan 2 are to be NATted to a pool belonging to the VLAN3 address range when accessing Vlan3. All other connections are not NATted:
 
ip nat pool pool-2 192.168.2.20 192.168.2.25 prefix-length 24
        ip nat inside source route-map MAP-2 pool pool-2
 
interface Vlan 2
        ip nat inside
        ...
 
interface Vlan 3
        ip nat outside
        ...
 
ip access-list extended MGMT-ACL
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip any any
 
route-map MAP-2 permit 10
 match ip address MGMT-ACL
 
 
 
20.04.2008
Policy NAT on layer 3 switches
Policy NAT on layer 3 switches