topic Help with 3 different Nats on a 1800 firewall in Network Security

Help with 3 different Nats on a 1800 firewall

tyoungbauer — Tue, 12 Mar 2019 00:10:11 GMT

I have a client that has 6 public IP addresses. He needs to use 3 of them. One for workstations which is currently working fine. It is using the default gateway IP. One for a email/web server which has a statis NAT and is also working fine. But we need an additional NAT but it is for 3 servers that all need to go out as the smae public IP. I am not sure and been unsuccessful getting those to go out as the same IP. I either cannot get them to exit the same IP or it breaks the workstation NAT.

Workstations would be 10.0.0.100 - 200 going oput the FE1 interface or I think x.x.94.122

Email would be 10.0.0.5 going out the statis NAT of x.x.94.123

I then need 10.0.0.2 - 4 to go out x.x.94.124

I removed some ACLs and IP info for security.

Attached is the current config.

Thanks in advance.

Todd

interface FastEthernet0

description $ETH-WAN$$FW_OUTSIDE$

ip address x.x.4.240 255.255.255.0

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

shutdown

duplex auto

speed auto

crypto map SDM_CMAP_1

interface FastEthernet1

ip address X.X.94.122 255.255.255.248

ip access-group 110 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

interface FastEthernet2

interface FastEthernet3

interface FastEthernet4

interface FastEthernet5

interface FastEthernet6

interface FastEthernet7

interface FastEthernet8

interface FastEthernet9

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$

ip address 10.0.0.254 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

ip local pool SDM_POOL_1 192.168.12.1 192.168.12.254

ip route 0.0.0.0 0.0.0.0 X.X.94.121

ip flow-top-talkers

top 50

sort-by bytes

cache-timeout 200

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.0.0.4 5900 interface FastEthernet0 5900

ip nat inside source static tcp 10.0.0.2 5001 interface FastEthernet0 5001

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

ip nat inside source static 10.0.0.5 X.X.94.123 route-map SDM_RMAP_2

ip nat inside source static 10.0.0.2 X.X.94.124 route-map SDM_RMAP_3

ip nat inside source static 10.0.0.4 X.X.94.125 route-map SDM_RMAP_4

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 104 permit ip 10.0.0.0 0.0.0.255 any

access-list 105 remark SDM_ACL Category=2

access-list 105 deny ip host 10.0.0.5 192.168.12.0 0.0.0.255

access-list 105 permit ip host 10.0.0.5 any

access-list 110 remark auto generated by SDM firewall configuration

access-list 110 remark SDM_ACL Category=1

route-map SDM_RMAP_4 permit 1

match ip address 107

route-map SDM_RMAP_1 permit 1

match ip address 104

route-map SDM_RMAP_2 permit 1

match ip address 105

route-map SDM_RMAP_3 permit 1

match ip address 106

Help with 3 different Nats on a 1800 firewall

Julio Carvajal — Wed, 17 Oct 2012 04:11:24 GMT

Hello T,

Not sure if I understood this correctly but basically you want to do the following:

Nat Workstations range 10.0.0.100 - 200 to the IP x.x.94.122

Email would be 10.0.0.5 looking on the outside as x.x.94.123

I then need 10.0.0.2 - 4 to look on the outside as x.x.94.124

You can do it with route-maps but for simplicity I will do it just with ACL's

1) Ip access-list extended Workstation_B

permit ip host 10.0.0.2 any

permit ip host 10.0.0.3 any

permit ip host 10.0.0.4 any

ip nat inside source list Workstation_B x.x.94.122 overload

2) ip nat inside source static 10.0.0.5 x.x.94.123

3) ip nat inside source dynamic any x.x.94.122

Is there a way you could try that and let me know the result,

Any other question..Sure..Just remember to rate all of the helpful posts

Julio

Help with 3 different Nats on a 1800 firewall

tyoungbauer — Wed, 17 Oct 2012 04:41:29 GMT

Here is what I tried but I don’t think the 10.0.0.2 - 4 is working?

ip nat pool VoIP x.x.94.124 x.x.94.124 netmask 255.255.255.248 type rotary

ip nat inside source list VoIP pool VoIP overload

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

ip nat inside source static 10.0.0.5 x.x.94.123 route-map SDM_RMAP_2

ip access-list extended VoIP

permit ip host 10.0.0.2 any

permit ip host 10.0.0.3 any

permit ip host 10.0.0.4 any

Thanks

Todd

Help with 3 different Nats on a 1800 firewall

Julio Carvajal — Wed, 17 Oct 2012 04:48:50 GMT

Hello Tyon,

Can you try what I wrote down on the order I wrote it,

Any other question..Sure,,Just remember to rate all of the support answers.

Help with 3 different Nats on a 1800 firewall

tyoungbauer — Wed, 17 Oct 2012 05:19:21 GMT

No I cannot. when I run this command

ip nat inside source list Workstation_B x.x.94.122 overload

I can only do

ip nat inside source list Workstation_B

and then I need to do interface or pool?

The config looks clsoe but I also need the workstation_B to go out x.x.94.124

Thanks

Todd

Help with 3 different Nats on a 1800 firewall

Julio Carvajal — Wed, 17 Oct 2012 06:08:27 GMT

Hello,

See what you mean

ip local pool TEST x.x.94.124 x.x.94.124

Now use that on the NAT.