Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
3
Replies

Nat Question

thamer
Level 1
Level 1

‎07-15-2005 05:27 AM - edited ‎03-09-2019 11:51 AM

Hi all,

I have a remote facility that we provide internet access for and now I need to provide them with connectivity to a 3rd party via VPN Tunnel.

For internet access I have in the PIX v6.3:

nat (inside) 1 1.3.3.0 255.255.254.0

global (outside) 1 1.1.1.254

Since I believe I cannot have a second NAT on the same interface (inside)

I created this for the VPN Tunnel:

static (inside,tunnels) 1.3.3.0 1.3.3.0 netmask 255.255.254.0

nat (tunnels) 108 1.3.3.0 255.255.254.0

global (tunnels) 108 1.2.3.10

When I look at my concentrator I see the connection going out the tunnel but it is in it's natural number and not the NAT address. Is there a way to accomplish this?????Or did I do something wrong...I'm new to firewalling so that would not be out of the realm of possiblities. Thanks!

Labels:
0 Helpful
3 Replies 3

dbellaze
Level 4
Level 4

‎07-15-2005 07:24 AM

You can have more than one NAT/Global statement per interface. They just need to have different ID's.

Daniel

0 Helpful

thamer
Level 1
Level 1
In response to dbellaze

‎07-15-2005 09:59 AM

When I try to enter another nat on the inside interface I get a message:

nat (inside) 12 1.3.3.0 255.255.254.0

ERROR: Duplicate NAT entry

ERROR: fail to insert nat entry

0 Helpful

johansens
Level 4
Level 4

‎07-16-2005 04:54 PM

If you use different egress interfaces, you'll have to use the same NAT ID. The NAT ID is a global NAT identifier which identifies as a minimum the source addresses (it can be extended to identify destination addresses and protocol with source/dest ports as well, used in Policy NAT):

nat (inside) 1 1.3.3.0 255.255.254.0

global (outside) 1 1.1.1.254

global (tunnels) 1 1.2.3.10

Then it'll use the 1.1.1.254 when exiting the outside interface and 1.2.3.10 when exiting the tunnels interface.

You'll have to use Policy NAT if you want to differentiate which global to use when the egress interface is the same..

F.ex. if you want to use 1.1.1.254 when going to "anywhere" execpt for when you are going to 192.0.2.0/24. When going to 192.0.2.0/24, you'll use 1.1.1.253:

nat (inside) 1 1.3.3.0 255.255.254.0

nat (inside) 2 access-list to-special-site

global (outside) 1 1.1.1.254

global (outside) 2 1.1.1.253

access-list to-special-site permit ip 1.3.3.0 255.255.254.0 192.0.2.0 255.255.255.0

For Policy NAT, check this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#usingnat

You can't specify two different NAT ID's for the same (or overlapping) subnet without using Policy NAT.

Did it help?

0 Helpful
Customers Also Viewed These Support Documents