Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
0
Helpful
16
Replies

Perform Conditional Static NAT with Dynamic External IP

Go to solution
davidk3
Level 1
Level 1

‎10-16-2024 04:02 PM

I've kind of simplified the reality here a little bit, just to kind of get to the heart of the matter:

We have a main office on network 192.168.0.0/16 and a branch office on network 10.19.0.0/16. The main office has a static public IP address on its external interface. The branch office does not; it's using DHCP. There is a site-to-site IPsec tunnel between the two locations. The branch office is behind a Cisco router, and is hosting a camera system at 10.19.10.3 on TCP port 2003. Currently we have the following command configured on the branch office router, to allow connections to the camera system from over the public internet using its public IP address:

ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003

Unfortunately this statement has the side effect of making it so we can't access the camera system from the main office via 10.19.10.3; we have to use the public IP address. We'd like to be able to use 10.19.10.3 to access it from the main office, though.

I'm not great at this networking stuff, but I was thinking the way to fix this would be to just find some way to make it so this NAT rule only gets applied when the camera system's being accessed from any IP besides 192.168.0.0/16; that way NAT would not be applied when accessing it from the main office. After some googling I found out about something called Policy NAT, where you can use an access list to specify when the rule should be applied. I'd then apply it using a command similar to the following:

ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003 route-map MYROUTEMAP

Unfortunately it looks like you can't use the "route-map" keyword after using the "interface" keyword to specify the second address in the command; you can only use "route-map" if the second address in the command is an actual IP address, as far as I can tell. Anyone know how we might be able to accomplish what we're trying to do here?

Labels:
0 Helpful
16 Replies 16

Go to solution
paul driver
VIP
VIP
In response to davidk3

‎10-18-2024 03:35 PM

Hello
you should have no issue giving a host an secondary address and when you do i envisage it will solve your current problem 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
davidk3
Level 1
Level 1
In response to paul driver

‎10-22-2024 11:40 AM

Unfortunately my camera system doesn't seem to support multiple IP addresses, so I wasn't able to try this, but as I mentioned in my other post switching to tunnel interfaces did the trick, thank you for your help!

0 Helpful
Customers Also Viewed These Support Documents