https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454161#M637751 <HTML><HEAD></HEAD><BODY><P>You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:</P><P></P><P>nat (production) 11 access-list AL200</P><P>global (outside) 11 172.16.11.200</P><P></P><P>Andrew</P></BODY></HTML> Tue, 10 Aug 2010 20:59:12 GMT Andrew Ossipov 2010-08-10T20:59:12Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454156#M637746 <P>how can i do this:</P><P>access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0 <BR />access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248 <BR />access-list AL200 permit ip host 172.16.11.27 host IMSA <BR />access-list AL200 permit ip host 172.16.11.27 host EIserver</P><P>access-list AL200 permit ip host 172.16.11.26 host GGSNnew <BR />access-list AL200 permit ip host 172.16.11.26 Meterpool 255.255.240.0</P><P></P><P>static (production,outside) 172.16.11.200 access-list AL200 0 0</P> Mon, 11 Mar 2019 18:23:32 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454156#M637746 RvanRouwendaal 2019-03-11T18:23:32Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454157#M637747 <HTML><HEAD></HEAD><BODY><P>Forgot to mention that i need to do this on a Cisco PIX 506e</P></BODY></HTML> Tue, 10 Aug 2010 20:16:33 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454157#M637747 RvanRouwendaal 2010-08-10T20:16:33Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454158#M637748 <HTML><HEAD></HEAD><BODY><P>Hello Rick,</P><P></P><P>Since static NAT creates one-to-one mappings by definition, you cannot translate the traffic from two hosts to the same IP. You need to either provision several mapped addresses for the static mapping or use dynamic policy NAT instead:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129">http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129</A></P><P></P><P>Andrew</P></BODY></HTML> Tue, 10 Aug 2010 20:52:23 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454158#M637748 Andrew Ossipov 2010-08-10T20:52:23Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454159#M637749 <HTML><HEAD></HEAD><BODY><P>So what i am trying to do is not possible?</P></BODY></HTML> Tue, 10 Aug 2010 20:54:28 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454159#M637749 RvanRouwendaal 2010-08-10T20:54:28Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454160#M637750 <HTML><HEAD></HEAD><BODY><P>so what you are trying to say it is not possible at all? i dont understand could you give me some directions?</P></BODY></HTML> Tue, 10 Aug 2010 20:55:56 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454160#M637750 RvanRouwendaal 2010-08-10T20:55:56Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454161#M637751 <HTML><HEAD></HEAD><BODY><P>You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:</P><P></P><P>nat (production) 11 access-list AL200</P><P>global (outside) 11 172.16.11.200</P><P></P><P>Andrew</P></BODY></HTML> Tue, 10 Aug 2010 20:59:12 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454161#M637751 Andrew Ossipov 2010-08-10T20:59:12Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454162#M637752 <HTML><HEAD></HEAD><BODY><P>thank you so much this worked as a charm.</P><P>What kind off problems could this give?</P></BODY></HTML> Tue, 10 Aug 2010 21:05:53 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454162#M637752 RvanRouwendaal 2010-08-10T21:05:53Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454163#M637753 <HTML><HEAD></HEAD><BODY><P>Glad it helped! It is a fairly standard NAT configuration, so it should work without problems. The only caveat is that you cannot initiate reverse connections from outside between the hosts and subnets identified in the ACL.</P><P></P><P>Andrew</P></BODY></HTML> Tue, 10 Aug 2010 21:10:01 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454163#M637753 Andrew Ossipov 2010-08-10T21:10:01Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454164#M637754 <HTML><HEAD></HEAD><BODY><P>You are unable to do this in PIX506 - 6.x code?</P><P></P><P>-KS</P></BODY></HTML> Tue, 10 Aug 2010 21:13:25 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454164#M637754 Kureli Sankar 2010-08-10T21:13:25Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454165#M637755 <HTML><HEAD></HEAD><BODY><P>I dont really understand your last post. Does this mean no traffic could come in on 172.16.11.200?</P></BODY></HTML> Tue, 10 Aug 2010 21:17:38 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454165#M637755 RvanRouwendaal 2010-08-10T21:17:38Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454166#M637756 <HTML><HEAD></HEAD><BODY><P>That is correct, you cannot initiate inbound connections to 172.16.11.200. This is the main property of dynamic PAT. In order to initiate inbound connections, you must have one-to-one mapping with either one IP per inside host or one port per inside service (static PAT).</P><P></P><P>Andrew</P></BODY></HTML> Tue, 10 Aug 2010 21:19:49 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454166#M637756 Andrew Ossipov 2010-08-10T21:19:49Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454167#M637757 <HTML><HEAD></HEAD><BODY><P>hmmmm thats gonna be a problem cause these rules initiate from both sides:</P><P>access-list AL200 permit ip host 172.16.11.26 host TMGGSNnew <BR />access-list AL200 permit ip host 172.16.11.26 TMmeterpool 255.255.240.0</P><P></P><P>i there a work-around for this?</P></BODY></HTML> Tue, 10 Aug 2010 21:23:54 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454167#M637757 RvanRouwendaal 2010-08-10T21:23:54Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454168#M637758 <HTML><HEAD></HEAD><BODY><P>The workaround is to dedicate one mapped (public) IP to each inside (private) host. I.e.:</P><P></P><P>access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0 <BR />access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248 <BR />access-list AL200 permit ip host 172.16.11.27 host IMSA <BR />access-list AL200 permit ip host 172.16.11.27 host EIserver</P><P></P><P>access-list AL201 permit ip host 172.16.11.26 host GGSNnew <BR />access-list AL201 permit ip host 172.16.11.26 Meterpool 255.255.240.0</P><P></P><P>static (production,outside) 172.16.11.200 access-list AL200</P><P>static (production,outside) 172.16.11.201 access-list AL201</P></BODY></HTML> Tue, 10 Aug 2010 21:26:10 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454168#M637758 Andrew Ossipov 2010-08-10T21:26:10Z https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454169#M637759 <HTML><HEAD></HEAD><BODY><P>172.16.11.201 doesnt have access to the VPNs... so thats a no go...</P><P></P><P>The problem is that on the old server we had 2 environments which went to 3 VPNS... all using the 200 NAT. Now we made two new server (1 goes to 2 vpns and 1 goes to the third). They still need to do so with the 200 NAT</P></BODY></HTML> Tue, 10 Aug 2010 21:29:26 GMT https://community.cisco.com/t5/network-security/multiple-hosts-in-policy-nat/m-p/1454169#M637759 RvanRouwendaal 2010-08-10T21:29:26Z