10-16-2024 04:02 PM
I've kind of simplified the reality here a little bit, just to kind of get to the heart of the matter:
We have a main office on network 192.168.0.0/16 and a branch office on network 10.19.0.0/16. The main office has a static public IP address on its external interface. The branch office does not; it's using DHCP. There is a site-to-site IPsec tunnel between the two locations. The branch office is behind a Cisco router, and is hosting a camera system at 10.19.10.3 on TCP port 2003. Currently we have the following command configured on the branch office router, to allow connections to the camera system from over the public internet using its public IP address:
ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003
Unfortunately this statement has the side effect of making it so we can't access the camera system from the main office via 10.19.10.3; we have to use the public IP address. We'd like to be able to use 10.19.10.3 to access it from the main office, though.
I'm not great at this networking stuff, but I was thinking the way to fix this would be to just find some way to make it so this NAT rule only gets applied when the camera system's being accessed from any IP besides 192.168.0.0/16; that way NAT would not be applied when accessing it from the main office. After some googling I found out about something called Policy NAT, where you can use an access list to specify when the rule should be applied. I'd then apply it using a command similar to the following:
ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003 route-map MYROUTEMAP
Unfortunately it looks like you can't use the "route-map" keyword after using the "interface" keyword to specify the second address in the command; you can only use "route-map" if the second address in the command is an actual IP address, as far as I can tell. Anyone know how we might be able to accomplish what we're trying to do here?
Solved! Go to Solution.
10-18-2024 03:35 PM
Hello
you should have no issue giving a host an secondary address and when you do i envisage it will solve your current problem
10-22-2024 11:40 AM
Unfortunately my camera system doesn't seem to support multiple IP addresses, so I wasn't able to try this, but as I mentioned in my other post switching to tunnel interfaces did the trick, thank you for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide