Problem
You want certain hosts to have static address translation properties and all others to use dynamic translation.
Solution
In some cases you might need to use a combination of the two approaches. Some internal devices will always translate to specific external addresses, but others will use a dynamic pool. This is often the case when you have a few internal servers that need to be accessed from outside of the network, but other devices that will only make outbound connections:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0 Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0 Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255 Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10 Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11 Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0 Router(config)#ip nat inside source list 15 pool NATPOOL overload Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 192.168.2.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface Ethernet0/0 Router(config-if)#ip address 172.16.1.2 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#end Router#
Discussion
In this recipe, we have the same pool of dynamic addresses as in Recipe 21.2, combined with the same two static translations from Recipe 21.3. It is often useful to combine NAT techniques like this, particularly when you use the connection between these networks for several different applications. Some applications might need to work with well-known IP addresses, while others could work well from a dynamic pool.
The access-list in this example specifically excludes the two addresses that will use static rather than dynamic NAT. This is not strictly necessary because the static NAT commands appear to have precedence over dynamic NAT in the router. However, this is still a good practice because it is absolutely clear to anybody looking at the router configuration what you intended to do.
The other important thing to notice in this example is that we have explicitly removed the static NAT addresses from the dynamic NAT pool. The dynamic pool is from 172.16.1.100 to 172.16.1.150, and the static addresses are 172.16.1.10 and 172.16.1.11. This is critically important because the dynamic NAT allocation does not check each address in the pool to make sure that is not configured for static NAT translation. So you could get serious address conflicts if you do not explicitly separate the static from the dynamic NAT addresses.
See Also
Recipe 21.2; Recipe 21.3
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index