https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324812#M857811 <HTML><HEAD></HEAD><BODY><P>I think this is your traffic flow</P><P></P><P>Outside (10.1.1.0/25) -&gt; Inside (192.168.212.10)</P><P></P><P>But Inside sees Outside network as 192.168.1.0. Am I correct?</P><P></P><P>If yes, then you can do policy NAT</P><P></P><P><B>access-list NET10-1-1-0 extended permit ip 10.1.1.0 255.255.255.128 host 192.168.212.10</B></P><P></P><P>static (outside,inside) 192.168.1.0 access-list NET10-1-1-0</P><P></P><P>But the 192.168.1.0 will not be a /24, it will match the source on the ACL to be a /25.</P><P></P><P>HTH,</P><P>jerry</P></BODY></HTML> Wed, 28 Oct 2009 22:42:40 GMT Jerry Ye 2009-10-28T22:42:40Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324806#M857802 <P>I'm trying to do some natting. My intention is to NAT a public address space (10.1.1.0 /25) subnet to a single address on my private network (192.168.1.10 /32).</P><P></P><P>the intent is to get the servers in the private subnet (VLAN'd) to respond to ANY server in the public subnet on the natted 192 address.</P><P></P><P>I'm thinking I can do this with the following config:</P><P></P><P></P><P>static (outside,inside) &lt;10.1.1.0&gt; &lt;192.168.1.10&gt; netmask 255.255.255.255</P><P></P><P>but, i'm not sure that it will NAT ANY address in the 10.1.1.0 /25 subnet..</P><P></P><P>Any insight would be helpful...</P><P></P><P>thanks.</P><P></P><P>Bruce</P> Mon, 11 Mar 2019 16:33:10 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324806#M857802 Bruce Summers 2019-03-11T16:33:10Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324807#M857804 <HTML><HEAD></HEAD><BODY><P>If I understand your requirements correctly, it is not possible. How would the NAT address know what IP to go to on the inside?</P></BODY></HTML> Wed, 28 Oct 2009 21:08:51 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324807#M857804 Collin Clark 2009-10-28T21:08:51Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324808#M857806 <HTML><HEAD></HEAD><BODY><P>the source subnet (VLAN) is direct connect to the firewall as is the destination subnet (VLAN). I'm thinking, for example:</P><P></P><P>server A 10.1.1.7; executes a packet destined for the 192.168.1.0 network, it gets NAT'd to 192.168.1.10, </P><P>a route on the firewall to the 192 subnet (also connected VLAN) routes the traffic to the interface for the 192 address space..</P><P></P><P>No?</P></BODY></HTML> Wed, 28 Oct 2009 21:16:46 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324808#M857806 Bruce Summers 2009-10-28T21:16:46Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324809#M857808 <HTML><HEAD></HEAD><BODY><P>So are you looking to not NAT? If 10.1.1.7 sends a message to 192.168.1.10, it does not need to NAT. There is no tranlsation between the subnets. If you wanted to NAT, let's use the subnet of 172.16.1.0/24, the 10.1.1.7 server would message 172.16.1.10, which in turn would be NAT'd to 192.168.1.10. Hope that make sense.</P></BODY></HTML> Wed, 28 Oct 2009 21:26:35 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324809#M857808 Collin Clark 2009-10-28T21:26:35Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324810#M857809 <HTML><HEAD></HEAD><BODY><P>hmmm...</P><P></P><P>the intent is to get the 10.1.1.7 (and any other server in that /25 subnet) to the 192.168.1.0 /24 to give the appearance that all traffic from the 10.1.17 is being sourced as 192.168.1.10...</P><P></P><P>does that make better sense...maybe i didnt explain it correctly</P></BODY></HTML> Wed, 28 Oct 2009 21:34:20 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324810#M857809 Bruce Summers 2009-10-28T21:34:20Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324811#M857810 <HTML><HEAD></HEAD><BODY><P>sorry, after rereading this, i needed to clarify.</P><P></P><P>"to give the appearce that all traffic from the 10.1.1.0 /25 is being sourced as host address 192.168.1.10"</P><P></P><P>I'm not even sure that it can be done...</P><P></P><P>i want the hosts in the 192.168.1.0 /24 to ALWAYS talk back to 192.168.212.10 which NATs to ANY 10.1.1.0 /25...</P><P></P><P>does that make sense??</P></BODY></HTML> Wed, 28 Oct 2009 22:01:34 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324811#M857810 Bruce Summers 2009-10-28T22:01:34Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324812#M857811 <HTML><HEAD></HEAD><BODY><P>I think this is your traffic flow</P><P></P><P>Outside (10.1.1.0/25) -&gt; Inside (192.168.212.10)</P><P></P><P>But Inside sees Outside network as 192.168.1.0. Am I correct?</P><P></P><P>If yes, then you can do policy NAT</P><P></P><P><B>access-list NET10-1-1-0 extended permit ip 10.1.1.0 255.255.255.128 host 192.168.212.10</B></P><P></P><P>static (outside,inside) 192.168.1.0 access-list NET10-1-1-0</P><P></P><P>But the 192.168.1.0 will not be a /24, it will match the source on the ACL to be a /25.</P><P></P><P>HTH,</P><P>jerry</P></BODY></HTML> Wed, 28 Oct 2009 22:42:40 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324812#M857811 Jerry Ye 2009-10-28T22:42:40Z https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324813#M857812 <HTML><HEAD></HEAD><BODY><P>we got it...</P><P></P><P>we set the following</P><P></P><P>global <INTERFACE in="" which="" we="" want="" the="" source="" to="" be=""> 1 interface</INTERFACE></P><P></P><P>nat <ACTUAL interface=""> 1 access-list <ACL name=""></ACL></ACTUAL></P><P></P><P>BAM worked like a champ...</P><P></P><P>thanks for all the responses</P></BODY></HTML> Wed, 28 Oct 2009 23:54:39 GMT https://community.cisco.com/t5/network-security/firewall-nat/m-p/1324813#M857812 Bruce Summers 2009-10-28T23:54:39Z