cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1942
Views
0
Helpful
13
Replies

multiple hosts in policy nat

RvanRouwendaal
Level 1
Level 1

how can i do this:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL200 permit ip host 172.16.11.26 host GGSNnew
access-list AL200 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200 0 0

1 Accepted Solution

Accepted Solutions

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

View solution in original post

13 Replies 13

RvanRouwendaal
Level 1
Level 1

Forgot to mention that i need to do this on a Cisco PIX 506e

So what i am trying to do is not possible?

You are unable to do this in PIX506 - 6.x code?

-KS

Andrew Ossipov
Cisco Employee
Cisco Employee

Hello Rick,

Since static NAT creates one-to-one mappings by definition, you cannot translate the traffic from two hosts to the same IP. You need to either provision several mapped addresses for the static mapping or use dynamic policy NAT instead:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

Andrew

RvanRouwendaal
Level 1
Level 1

so what you are trying to say it is not possible at all? i dont understand could you give me some directions?

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

RvanRouwendaal
Level 1
Level 1

thank you so much this worked as a charm.

What kind off problems could this give?

Glad it helped! It is a fairly standard NAT configuration, so it should work without problems. The only caveat is that you cannot initiate reverse connections from outside between the hosts and subnets identified in the ACL.

Andrew

RvanRouwendaal
Level 1
Level 1

I dont really understand your last post. Does this mean no traffic could come in on 172.16.11.200?

That is correct, you cannot initiate inbound connections to 172.16.11.200. This is the main property of dynamic PAT. In order to initiate inbound connections, you must have one-to-one mapping with either one IP per inside host or one port per inside service (static PAT).

Andrew

RvanRouwendaal
Level 1
Level 1

hmmmm thats gonna be a problem cause these rules initiate from both sides:

access-list AL200 permit ip host 172.16.11.26 host TMGGSNnew
access-list AL200 permit ip host 172.16.11.26 TMmeterpool 255.255.240.0

i there a work-around for this?

The workaround is to dedicate one mapped (public) IP to each inside (private) host. I.e.:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL201 permit ip host 172.16.11.26 host GGSNnew
access-list AL201 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200

static (production,outside) 172.16.11.201 access-list AL201

RvanRouwendaal
Level 1
Level 1

172.16.11.201 doesnt have access to the VPNs... so thats a no go...

The problem is that on the old server we had 2 environments which went to 3 VPNS... all using the 200 NAT. Now we made two new server (1 goes to 2 vpns and 1 goes to the third). They still need to do so with the 200 NAT

Review Cisco Networking for a $25 gift card