Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
7
Replies

NAT requirment with another public subnet no internet now.

jbonaccidp
Level 1
Level 1

‎04-29-2011 10:05 AM - edited ‎03-04-2019 12:13 PM

I have a L2L VPN tunnel setup for the 6.0.85 subnet which is required by the end user. Putting in the static NAT for 10.24.74.217 it cannot get out to the Internet now, since the 6.0.85 is a public subnet and not on the outside interface of the firewall. Is there any way to keep this static NAT and have the 10.24.74.217 get out to the Internet as well?

static (SDS,External) 6.0.85.4 10.24.74.217 netmask 255.255.255.255

nat (SDS) 1 10.24.74.208 255.255.255.240
nat (SDS) 1 0.0.0.0 0.0.0

Labels:
0 Helpful
7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

‎04-29-2011 01:26 PM

Your internet gateway needs a host route pointing to the device doing the NAT.

0 Helpful

jbonaccidp
Level 1
Level 1
In response to Edison Ortiz

‎04-29-2011 01:54 PM

Thanks for your response. So my ISP needs to create a route for 0.0.0.0 0.0.0.0 6.0.85.4?   My default gw is 11.22.118.1

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to jbonaccidp

‎04-29-2011 04:42 PM

Can you post a diagram from your network so I can help you further?

I don't know exactly where the route needs to be entered and I said a host route not a default route.

For instance

ip route 6.0.85.4 255.255.255.255 [gateway_towards_NAT_device]

0 Helpful

jbonaccidp
Level 1
Level 1
In response to Edison Ortiz

‎05-02-2011 03:13 PM

He is a network diagram. Thanks

Preview file
114 KB
0 Helpful

Shaikh Aman Uddin
Level 1
Level 1
In response to jbonaccidp

‎05-02-2011 10:48 PM

Hi,

Can you just show me the global translation of NAT. Since you are using the static NAT with a single ip address. there is no global command is showing.

Thanks,

Aman

0 Helpful

jbonaccidp
Level 1
Level 1
In response to Shaikh Aman Uddin

‎05-03-2011 07:35 AM

global (External) 1 interface (66.xxx.xxx.5)

Thanks

0 Helpful

jbonaccidp
Level 1
Level 1
In response to jbonaccidp

‎05-03-2011 09:03 AM

I think I figured it out I create access lists for that IP only to that range and applied them to the static NAT and removed the old ones.

access-list policy_nat_mckesson_2 extended permit ip host 10.24.74.215 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_1 extended permit ip host 10.24.74.214 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_3 extended permit ip host 10.24.74.216 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_4 extended permit ip host 10.24.74.217 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_5 extended permit ip host 10.24.74.218 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_6 extended permit ip host 10.24.74.219 6.0.87.0 255.255.255.0
access-list policy_nat_mckesson_7 extended permit ip host 10.24.74.220 6.0.87.0 255.255.255.0


sdcfw01(config)# static (SDS,External) 6.0.85.2  access-list policy_nat_mckesson_2
sdcfw01(config)# static (SDS,External) 6.0.85.3  access-list policy_nat_mckesson_3
sdcfw01(config)# static (SDS,External) 6.0.85.4  access-list policy_nat_mckesson_4
sdcfw01(config)# static (SDS,External) 6.0.85.5  access-list policy_nat_mckesson_5
sdcfw01(config)# static (SDS,External) 6.0.85.6  access-list policy_nat_mckesson_6
sdcfw01(config)# static (SDS,External) 6.0.85.7  access-list policy_nat_mckesson_7

Thanks

Jerrod

0 Helpful
Customers Also Viewed These Support Documents