04-26-2013 12:15 PM - edited 03-11-2019 06:35 PM
I have a dynamic nat below that allows web traffic from specified networks in group Inside-ext to be nated to a single address below :-
nat (inside,outside) source dynamic Inside-ext obj-10.50.50.1
Is it possible to have multiple dynamic nat for other services like RDP, Citrix etc to be nated different hosts ?
Sent from Cisco Technical Support iPhone App
04-26-2013 12:27 PM
Hi,
I think the Dynamic PAT you configured above applies to any TCP/UDP traffic heading from "inside" to "outside" for the hosts/networks specified under "Inside-ext"
Just to give a couple of examples of how we could do Dynamic PAT to different public IP address depending on the destination service/port
Lets do for example
IP address/network information
Dynamic PAT Configurations for TCP/80 , TCP/443 and TCP/8080
object-group network WEB-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object network PAT-1.1.1.2
host 1.1.1.2
object service TCP80
service tcp destination eq www
object service TCP443
service tcp destination eq 443
object service TCP8080
service tcp destination eq 8080
nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP80 TCP80
nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP443 TCP443
nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP8080 TCP8080
Dynamic PAT for TCP/3389
object-group network RDP-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object network PAT-1.1.1.3
host 1.1.1.3
object service TCP3389
service tcp destination eq 3389
nat (inside,outside) source dynamic RDP-PAT-SOURCE PAT-1.1.1.3 service TCP3389 TCP3389
Naturally as always, even though these configurations should work, you SHOULD ALWAYS look at the big picture and make sure that these dont break any existing functionality.
Hope this helps Please mark the question as answered if it did or rate helpfull answers
Naturally ask more if needed
- Jouni
04-27-2013 11:00 AM
Thank you for your reply , I have just one question.
Is there a way to group the udp and tcp ports together in a single group for Citrix service or do I have to list them individually ?
04-27-2013 11:17 AM
Hi,
Seems to me that you cant use "object-group service
It seems to me at its current state you will simply have to use separate NAT statement with its port or range of ports per TCP/UDP if you want to configure this way.
Please remember to mark the question as answered if it did. Or rate helpfull answers
Naturally ask more if you need
- Jouni
04-27-2013 11:42 AM
Thanks very much for your help on this much appreciated !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide