10-28-2009 01:52 PM - edited 03-11-2019 09:33 AM
I'm trying to do some natting. My intention is to NAT a public address space (10.1.1.0 /25) subnet to a single address on my private network (192.168.1.10 /32).
the intent is to get the servers in the private subnet (VLAN'd) to respond to ANY server in the public subnet on the natted 192 address.
I'm thinking I can do this with the following config:
static (outside,inside) <10.1.1.0> <192.168.1.10> netmask 255.255.255.255
but, i'm not sure that it will NAT ANY address in the 10.1.1.0 /25 subnet..
Any insight would be helpful...
thanks.
Bruce
10-28-2009 02:08 PM
If I understand your requirements correctly, it is not possible. How would the NAT address know what IP to go to on the inside?
10-28-2009 02:16 PM
the source subnet (VLAN) is direct connect to the firewall as is the destination subnet (VLAN). I'm thinking, for example:
server A 10.1.1.7; executes a packet destined for the 192.168.1.0 network, it gets NAT'd to 192.168.1.10,
a route on the firewall to the 192 subnet (also connected VLAN) routes the traffic to the interface for the 192 address space..
No?
10-28-2009 02:26 PM
So are you looking to not NAT? If 10.1.1.7 sends a message to 192.168.1.10, it does not need to NAT. There is no tranlsation between the subnets. If you wanted to NAT, let's use the subnet of 172.16.1.0/24, the 10.1.1.7 server would message 172.16.1.10, which in turn would be NAT'd to 192.168.1.10. Hope that make sense.
10-28-2009 02:34 PM
hmmm...
the intent is to get the 10.1.1.7 (and any other server in that /25 subnet) to the 192.168.1.0 /24 to give the appearance that all traffic from the 10.1.17 is being sourced as 192.168.1.10...
does that make better sense...maybe i didnt explain it correctly
10-28-2009 03:01 PM
sorry, after rereading this, i needed to clarify.
"to give the appearce that all traffic from the 10.1.1.0 /25 is being sourced as host address 192.168.1.10"
I'm not even sure that it can be done...
i want the hosts in the 192.168.1.0 /24 to ALWAYS talk back to 192.168.212.10 which NATs to ANY 10.1.1.0 /25...
does that make sense??
10-28-2009 03:42 PM
I think this is your traffic flow
Outside (10.1.1.0/25) -> Inside (192.168.212.10)
But Inside sees Outside network as 192.168.1.0. Am I correct?
If yes, then you can do policy NAT
access-list NET10-1-1-0 extended permit ip 10.1.1.0 255.255.255.128 host 192.168.212.10
static (outside,inside) 192.168.1.0 access-list NET10-1-1-0
But the 192.168.1.0 will not be a /24, it will match the source on the ACL to be a /25.
HTH,
jerry
10-28-2009 04:54 PM
we got it...
we set the following
global 
nat 
BAM worked like a champ...
thanks for all the responses
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide