Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
2
Replies

policy nat address pool

Go to solution
mickyq
Level 1
Level 1

‎02-27-2013 06:40 AM - edited ‎03-11-2019 06:06 PM

I have an internal firewall between two private networks.

I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses

the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works

heres the config

global (outside) 1 10.130.29.2

nat (inside) 1 access-list nat

access-list nat deny ip host 10.7.2.206 any

access-list nat deny ip host 10.7.2.207 any

access-list nat permit ip any any

ive added:

object-group network SERVERS

  network-object host 195.104.88.151

  network-object host 195.104.88.152

  network-object host 195.104.88.153

access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23

global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128

nat (inside) 2 access-list serv_acl

the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.

Is the subnet mask correct for the pool?

any help appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 09:19 AM

Hi,

So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?

I think this is because of the NAT ordering.

I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way

no global (outside) 1 10.130.29.2

no nat (inside) 1 access-list nat

global (outside) 100 10.130.29.2

nat (inside) 100 access-list nat

Then perhaps "clear xlate" if situation permits.

This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.

Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.

Can you try this out and see how it goes.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 09:19 AM

Hi,

So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?

I think this is because of the NAT ordering.

I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way

no global (outside) 1 10.130.29.2

no nat (inside) 1 access-list nat

global (outside) 100 10.130.29.2

nat (inside) 100 access-list nat

Then perhaps "clear xlate" if situation permits.

This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.

Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.

Can you try this out and see how it goes.

- Jouni

0 Helpful

Go to solution
mickyq
Level 1
Level 1
In response to Jouni Forss

‎02-28-2013 10:22 AM

Thanks Jouni

You were exactly right.

The first policy had 'ip any any' which of course catches all traffic . I change the order and it works fine.

Thanks again

michael

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card