Re: Static MAP workaround needed

echelon360 · ‎09-21-2004

Guys,

Need some advice on how to approach this.I will try to explain the problem as best as i can.

-I have 5 hosts that sit behind the inside interface.

-All 5 have been mapped to a public ip (for internet access)

172.16.25.10 202.6.160.169

172.16.25.11 202.6.160.170

172.16.25.12 202.6.160.171

172.16.25.13 202.6.160.172

172.16.25.14 202.6.160.173

-These hosts get their default route from a router sitting behind the outside interface 202.6.160.2

-out of these 5 hosts,two are critical as they monitor events on other hosts.Critical Hosts are

172.16.25.10 202.6.160.169

172.16.25.11 202.6.160.170

PROBLEM

1)i have a host that sits behind the outside interface (202.6.161.230).It is configured with static routes and does not know how to route to my two critical hosts via publicly defined ips.It only knows how to route to 172.16.25.x ips.(adding another static route is not possible this time round)

2)I need to retain my static public mappings and

allow this outside host to connect to my critical hosts,keeping in mind that this outside host can only "see" 172.16.25.x addresses.

Pls advise if there is a way to resolve this

orbana · ‎09-22-2004

Hi,

(Supposed you use pix)

You can use the nat 0 (nonat) feature.

access list nonat permit ip host 172.16.25.10 host 202.6.161.230

access list nonat permit ip host 172.16.25.11 host 202.6.161.230

nat (inside) 0 access-list nonat

Of course, you need also to allow the connection with interface access-lists, or conduits.

I hope it will help you.

Regards,

Attila

echelon360 · ‎09-23-2004

i still allow the connection with interface access-lists?You mean from the outside>inside ?

access-list acl_inbound permit tcp 202.6.161.230 172.16.25.10 eq xx

orbana · ‎09-23-2004

Yes.