Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
1
Replies

Cisco 2901 Router with NAT and normal routing on the same interface?

Joris Syen
Level 1
Level 1

‎10-05-2015 07:48 AM - edited ‎03-08-2019 02:03 AM

Dear,

 

I am struggling with a certain project where a kerio winroute software firewall needs to be replaced by a hardware router/firewall.

The purchased hardware is a 2901 with K9 firewalling license pack (no experience on cisco routers).

It is just routing/blocking traffic between a production LAN and an Office LAN. Only 2 ports exists on the device (old and new).

 

The problem seems to be that on the kerio software, there are "policies" to do this, and each policy can be set with

- NAT (when required)

- no NAT (when that server is not supporting NAT to a client)

 

Traffic policy:

Name - Source - Destination - Service - Action - Log - TRANSLATION

 

 

But when we configure the 2901 (Cisco Configuration Professional), it seems that an interface is always with NAT or just without NAT.

I seem not to be able to say that certain communication must use NAT and other communication must be routed without NAT.

 

For example,

when I ping from a certain IP WAN to LAN, on the old system, I get a reply from the IP in the LAN, as is expected with normal routing.

when I ping from the same IP WAN to LAN, on the new system, I get a reply from the WAN IP on the router, because the interface is configured as NAT (inside or outside).

 

So basically, from some WAN devices I want routing, but that same interface must also be able to have dynamic NAT connections to certain WAN IP's, and have Static NAT connections coming in from WAN to LAN (for example for VNC mapping).

 

Before I post the router scripts, is the above screenshot something that is even possible with the 2901 K9 router? Or is this only possible with this software firewall?

 

Thank you,

Best Regards,

 

Joris

 

Labels:
0 Helpful
1 Reply 1

Martin Hruby
Level 1
Level 1

‎10-06-2015 01:51 AM

Hello Joris

On a Cisco router you can enable an interface for NAT and still route packets over it without translating any addresses. Just enabling NAT doesn't do much unless you have a translation rule configured. So in your setup you can configure the LAN facing interface as NAT inside and the WAN facing interface as NAT outside and then you have the flexibility of specifying which communication will have addresses translated by configuring translation rules (e.g. this inside range will have the source IP translated to that outside IP, etc.). Traffic not matching any translation rule will not be influenced by NAT.

Traffic filtering then can be accomplished by simple access-lists applied either inbound or outbound to routers interfaces, or by a zone-based firewall configuration where you assign interfaces into zones and create security policies for traffic passing between zones.

You might want to have a look at this guide: http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/112237-block-p2p-zbf-ccp-00.html

Hope this helps.

Best regards,
Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card