Thanks Tyson. I almost posted the same question the other day since I found the documentation on NVI less than clear, and I think you've explained the piece that was confusing me.
So just to make sure I understand this, "domain based NAT" will translate anything that starts with (config)# ip nat inside ... *only* on interfaces configured with (config-if)# ip nat inside and will translate anything that starts with (config)# ip nat outside ... *only* on interfaces configured with (config-if)# ip nat outside. For NVI, we just use (config)# ip nat source ... and it will translate anything matching the specifications regardless of direction. Also, NVI doesn't work with a route-maps, so if you need to translate a specific set of source/destination networks or match on something more complex, you would need to use a route-map and domain based NAT (even though it seems be configurable when using NVI): R8(config)#ip nat source route-map ? WORD Route-map name Any other circumstances you can think of that would require the use NVI vs. domain-based NAT? Otherwise, seems like NVI would actually be easier as a general rule. -Dave On Tue, Jan 18, 2011 at 12:11 AM, Max Pierson <[email protected]> wrote: > I like the new NAT format which I still need to learn a little more about > it, but I wish Cisco would would make up their mind and stick with it. > > Tyson, I know you're aware of the PIX/ASA "access-list permits/denys" we > mapped to the outside public and not the inside translated IP up until 8.3. > WTF .... been that way for years .... but now they decide to change to the > logic that I first "thought" I understood to make sense. Now it's all > reverse of what i've been using the last 5 years. Go figure :) > > Anyways, enough ranting for the day. Tyson, thanks for the help earlier. > > Regards, > Max > > On Mon, Jan 17, 2011 at 10:02 PM, Tyson Scott <[email protected]> wrote: > > > Also if you click on the vlecture link in Marko's signature I have a > > vlecture on NAT on ASA and IOS and that should help with this concept as > > well I believe. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > > training locations throughout the United States, Europe, South Asia and > > Australia. Be sure to visit our online communities at > > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Nilesh Mehta > > Sent: Monday, January 17, 2011 6:32 PM > > To: [email protected] > > Subject: [OSL | CCIE_RS] difference between ip nat enable/ip nat inside > > > > I am not sure what is the difference between these two NAT commands. Can > > any > > one help to understand what is difference between ip nat enable and ip > nat > > inside/outside command > > > > Example:--1 > > int fa0/0 > > ip nat inside > > int s0/0/0 > > ip nat out > > ------------- > > example--2 > > int fa0/0 > > ip nat enable > > int s0/0/0 > > ip nat enable > > > > > > I know ip nat enable is new method of doing nat and create an NVI > > interface > > but my questions is, > > both commands are same ? can we use vice-versa or there there some > > situation where you can use only specific one ( I mean ipnat enable or ip > > natinside/outside) > > > > Thanks > > > > Nilesh > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
