topic Re: different static nat for same source on router in Network Security

different static nat for same source on router

Mike Schooley — Mon, 11 Mar 2019 20:12:25 GMT

can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination. I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100. I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y. hmmmm.

Re: different static nat for same source on router

Jon Marshall — Fri, 25 Mar 2011 12:47:28 GMT

msch00ley wrote:
can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination.  I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100.    I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y.   hmmmm.

Mike

access-list pnat1 permit ip host 10.10.10.100 host 20.20.20.100

access-list pnat2 permit ip host 10.10.10..100 host 30.30.30.100

static (inside,outside) 10.20.20.100 access-list pnat1

static (inside,outside) 10.30.30.100 access-list pnat2

Jon

Re: different static nat for same source on router

Mike Schooley — Fri, 25 Mar 2011 13:51:31 GMT

that looks like asa nat statement, not router????

Re: different static nat for same source on router

Jon Marshall — Fri, 25 Mar 2011 16:02:14 GMT

msch00ley wrote:
can i nat lets say 10.10.10.100 on the inside to 10.20.20.100 for one destination and 10.30.30.100 for another destination.  I would like to use an access list and say something like permit ip host 10.10.10.100 host 20.20.20.100, then nat 10 10.20.20.100, then permit ip host 10.10.10.100 host 30.30.30.100 then nat to 10.30.30.100.    I was using static nat, but perhaps if i defined a nat pool with a single address and did an ip nat source list x pool x then ip nat source list y pool y.   hmmmm.

Mike

Good point, it is for an ASA, sorry -

access-list 101 permit ip host 10.10.10.100 host 20.20.20.100

access-list 102 permit ip host 10.10.10.100 host 30.30.30.100

route-map PNAT1 permit 10

match ip address 101

route-map PNAT2 permit 10

match ip address 102

ip nat inside source static 10.10.10.100 10.20.20.100 route-map PNAT1

ip nat inside source static 10.10.10.100 10.30.30.100 route-map PNAT2

Note that support for using route-maps with static translations was added with 12.4(T) so if your IOS is earlier than that then you would need to use IP nat pools eg.

ip nat pool PNAT1 10.20.20.100 10.20.20.100 prefix-length 30

ip nat pool PNAT2 10.30.30.100 10.30.30.100 prefix-lenght 30

same access-lists and route-maps as above

ip nat inside source route-map PNAT1 pool PNAT1

ip nat inside source route-map PNAT2 pool PNAT2

Jon

Re: different static nat for same source on router

Mike Schooley — Thu, 31 Mar 2011 19:32:13 GMT

didnt work, the 1st one did, the access-list was matched for both, but wouldnt put a translation for same inside local to different outside local

did a clear translations and it pinged using 2nd destination, but then 1st destination wouldnt work.

Re: different static nat for same source on router

Jon Marshall — Fri, 01 Apr 2011 11:35:31 GMT

msch00ley wrote:

didnt work, the 1st one did, the access-list was matched for both, but wouldnt put a translation for same inside local to different outside local

did a clear translations and it pinged using 2nd destination, but then 1st destination wouldnt work.

Okay, i labbed it up using dynamips with 12.4(21a) and it worked fine in my lab. I basically had this setup -

R1 connected to R2.

R2 connected to R3 and R4.

on R3 loopback address of 10.10.10.1

on R4 loopback address of 11.11.11.1

R1 source address was 192.168.5.1

config on R2

access-list 101 permit ip host 192.168.5.1 host 10.10.10.1

access-list 102 permit ip host 192.168.5.1 host 11.11.11.1

route-map PNAT1 permit 10

match ip address 101

route-map PNAT2 permit 10

match ip address 102

ip nat inside source static 192.168.5.1 192.168.22.1 route-map PNAT1

ip nat inside source static 192.168.5.1 192.168.23.1 route-map PNAT2

i then used ping and telnet to connect from R1 to R3 & R4 and the ip nat translation table on R2 looked like this -

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.22.1:42312 192.168.5.1:42312 10.10.10.1:23      10.10.10.1:23
tcp 192.168.23.1:47667 192.168.5.1:47667 11.11.11.1:23      11.11.11.1:23
--- 192.168.22.1       192.168.5.1        ---                ---
--- 192.168.23.1       192.168.5.1        ---                ---

i also did debugs on R3 & R4 to check the source IP of the packet and it was as expected.

So not sure why yours isn't working. What IOS are you running ? What is your topology like ?

Jon

Re: different static nat for same source on router

Mike Schooley — Fri, 01 Apr 2011 12:43:49 GMT

you are correct, but you

have to use route-maps, using just list doesnt work per

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Re: different static nat for same source on router

Jon Marshall — Fri, 01 Apr 2011 13:25:19 GMT

msch00ley wrote:

you are correct, but you

have to use route-maps, using just list doesnt work per

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Mike

Sorry, you have lost me there. My original example did use route-maps ?

Thanks for rating.

Jon

Re: different static nat for same source on router

Mike Schooley — Fri, 01 Apr 2011 13:41:33 GMT

yes your original example did you route maps, I was just noting that it wont work with lists and pro

viding the documentation of why.