Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
5
Replies

Lower security to higher security interface PAT.

arun.mohan
Level 1
Level 1

‎12-05-2011 09:43 PM - edited ‎03-11-2019 02:59 PM

Hi,

Can we have PAT with nat and global statements for source natting a traffic from Lower security interface to Higher security? If nat & global can't achieve this, what are the Possibilities.

merci,

arun

Labels:
0 Helpful
5 Replies 5

varrao
Level 10
Level 10

‎12-06-2011 01:53 AM

Well you can do outside nat for it, you would need to use the following commands:

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

arun.mohan
Level 1
Level 1
In response to varrao

‎12-06-2011 02:47 AM

Have you tried this to be working, coz in my case the i need to have the PAT for a particular port access needs to be PAT.

merci,

arun

0 Helpful

varrao
Level 10
Level 10
In response to arun.mohan

‎12-06-2011 03:04 AM

Yes, it works fine and is a supported config, but can you elaborate on your requirement a little bit more?

Varun

Thanks,
Varun Rao
0 Helpful

arun.mohan
Level 1
Level 1
In response to varrao

‎12-06-2011 03:21 AM

oh ok great. Here is my case i need to NAT both the source and destination from one interface to the other.

For flow from MPLS --> Inside

Source on MPLS n/w: 192.168.1.100(source will be all RFC 1918 subnets)

Destination on MPLS nw: 10.1.1.100

Source on Inside n/w: 172.16.1.100(All 1918 subnet sources on MPLS will need to be translated to this IP)

Destination on Inside n/w: 172.31.2.100

The Destination NAT is achieve through Static command from the higher to Lower interface.

Is this info helpfull?

merci,

arun

0 Helpful

svaish
Level 1
Level 1

‎12-06-2011 04:02 AM

When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.

nat (outside) 1 network netmaks outside

global (inside) 1 ip_address   <--- used for PAT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card