Solved: Re: multiple hosts in policy nat

RvanRouwendaal · ‎08-10-2010

how can i do this:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL200 permit ip host 172.16.11.26 host GGSNnew
access-list AL200 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200 0 0

Andrew Ossipov · ‎08-10-2010

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

View solution in original post

RvanRouwendaal · ‎08-10-2010

Forgot to mention that i need to do this on a Cisco PIX 506e

RvanRouwendaal · ‎08-10-2010

So what i am trying to do is not possible?

Kureli Sankar · ‎08-10-2010

You are unable to do this in PIX506 - 6.x code?

-KS

Andrew Ossipov · ‎08-10-2010

Hello Rick,

Since static NAT creates one-to-one mappings by definition, you cannot translate the traffic from two hosts to the same IP. You need to either provision several mapped addresses for the static mapping or use dynamic policy NAT instead:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

Andrew

RvanRouwendaal · ‎08-10-2010

so what you are trying to say it is not possible at all? i dont understand could you give me some directions?

Andrew Ossipov · ‎08-10-2010

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

RvanRouwendaal · ‎08-10-2010

thank you so much this worked as a charm.

What kind off problems could this give?

Andrew Ossipov · ‎08-10-2010

Glad it helped! It is a fairly standard NAT configuration, so it should work without problems. The only caveat is that you cannot initiate reverse connections from outside between the hosts and subnets identified in the ACL.

Andrew

RvanRouwendaal · ‎08-10-2010

I dont really understand your last post. Does this mean no traffic could come in on 172.16.11.200?

Andrew Ossipov · ‎08-10-2010

That is correct, you cannot initiate inbound connections to 172.16.11.200. This is the main property of dynamic PAT. In order to initiate inbound connections, you must have one-to-one mapping with either one IP per inside host or one port per inside service (static PAT).

Andrew

RvanRouwendaal · ‎08-10-2010

hmmmm thats gonna be a problem cause these rules initiate from both sides:

access-list AL200 permit ip host 172.16.11.26 host TMGGSNnew
access-list AL200 permit ip host 172.16.11.26 TMmeterpool 255.255.240.0

i there a work-around for this?

Andrew Ossipov · ‎08-10-2010

The workaround is to dedicate one mapped (public) IP to each inside (private) host. I.e.:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL201 permit ip host 172.16.11.26 host GGSNnew
access-list AL201 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200

static (production,outside) 172.16.11.201 access-list AL201

RvanRouwendaal · ‎08-10-2010

172.16.11.201 doesnt have access to the VPNs... so thats a no go...

The problem is that on the old server we had 2 environments which went to 3 VPNS... all using the 200 NAT. Now we made two new server (1 goes to 2 vpns and 1 goes to the third). They still need to do so with the 200 NAT