cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1594
Views
0
Helpful
16
Replies

Perform Conditional Static NAT with Dynamic External IP

davidk3
Level 1
Level 1

I've kind of simplified the reality here a little bit, just to kind of get to the heart of the matter:

We have a main office on network 192.168.0.0/16 and a branch office on network 10.19.0.0/16. The main office has a static public IP address on its external interface. The branch office does not; it's using DHCP. There is a site-to-site IPsec tunnel between the two locations. The branch office is behind a Cisco router, and is hosting a camera system at 10.19.10.3 on TCP port 2003. Currently we have the following command configured on the branch office router, to allow connections to the camera system from over the public internet using its public IP address:

ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003

Unfortunately this statement has the side effect of making it so we can't access the camera system from the main office via 10.19.10.3; we have to use the public IP address. We'd like to be able to use 10.19.10.3 to access it from the main office, though.

I'm not great at this networking stuff, but I was thinking the way to fix this would be to just find some way to make it so this NAT rule only gets applied when the camera system's being accessed from any IP besides 192.168.0.0/16; that way NAT would not be applied when accessing it from the main office. After some googling I found out about something called Policy NAT, where you can use an access list to specify when the rule should be applied. I'd then apply it using a command similar to the following:

ip nat inside source static tcp 10.19.10.3 2003 interface FastEthernet4 2003 route-map MYROUTEMAP

Unfortunately it looks like you can't use the "route-map" keyword after using the "interface" keyword to specify the second address in the command; you can only use "route-map" if the second address in the command is an actual IP address, as far as I can tell. Anyone know how we might be able to accomplish what we're trying to do here?

16 Replies 16

Hello
you should have no issue giving a host an secondary address and when you do i envisage it will solve your current problem 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Unfortunately my camera system doesn't seem to support multiple IP addresses, so I wasn't able to try this, but as I mentioned in my other post switching to tunnel interfaces did the trick, thank you for your help!