Just double checked an old config - and you can still configure NAT in the normal way even with nat-control turned off.

Hi, thanks for reply.

I can confirm both inside interafces are on 100 security level. I want simple 1 to 1 IP translation.

So should I go like that:config #static (inside,inside1) ip_of_inside1 ip_of_inside netmask 255.2552.255.255???

Does it make any difference, if inside interface is on vlan, and inside1 interface is on native?

yes that should work, and the vlan to native should be ok

Sent from Cisco Technical Support iPad App

Hi,

I did that. I cannot browse to web on server on inside1 or I cannot browse internet being on that server.

Any ideas?

TIA

what are you actually trying to do, do you want the server on inside 1 to have an ip address in the same range of the inside?

Sent from Cisco Technical Support iPad App

Hi,

Outside int is on public /30 network and routes to inside also public network /27 network.

Now, inside1 interface is on 10.100.10.0/24 priv network range. (as I mentioned before inside and inside1 are both on security 100)

So I want NAT only few IPs from inside (/27) to priv range on inside1.

Should this be doable?

So you have configured your nat - but it is not working.  Did you configure the setting to allow traffic from 2 interfaces with the same security level??

same-security-traffic permit inter-interface

?

Yes,

I have:

same-security-traffic permit inter-interface...and

same-security-traffic permit intra-interface

Post your NAT & Interface Config

Here we go:

interface Ethernet0/0.21

description inside

nameif Inside

security-level 100

ip address 83.89.38.193 255.255.255.192

!

interface Ethernet0/0.23

description outside

nameif Outside

security-level 0

ip address 83.89.92.46 255.255.255.252

!

interface Ethernet0/1

description For NATting

nameif inside1

security-level 100

ip address 10.100.10.1 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Inside1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 83.89.38.193 255.255.255.192 host 10.100.10.2

access-list Inside1_access_in extended permit ip any host 10.100.10.2

static (Inside,Inside1) 10.100.10.2 83.89.92.250

netmask 255.255.255.255 dns

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 dns

route Outside 0.0.0.0 0.0.0.0 83.89.92.45 1

service-policy global_policy global

Remove

static (Inside,Inside1) 10.100.10.2 83.89.92.250 netmask 255.255.255.255 dns

The correct NAT is

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

Hi,

Thanks for that but no luck. I even tried to ping from server on inside net to server with IP 10.100.10.2 - no luck, and from inside net server I cannot even ping interface IP of 10.100.10.1

Of course I can ping from 10.100.10.2 to 10.100.10.1, this seems to be fine.

After applying this:

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 - on ASDM it appears as inside1 is original source and inside as translated. I am assuming that's correct.

But, still doesn't work.

There is some joy!

I can ping from servers on inside to inside1 pinging

83.89.92.250

NAT is working because I delete rule I could not ping , created NAT rule again and was working

But still cannot browse to 83.89.92.250 aka 10.100.10.2 from outside. ON outside int access rules allow any trafic on port 80 to any on inside int. Do you think I should allow to inside1 as well, or with NATting this should not be necesary?