Cisco 2901 Router with NAT and normal routing on the same interface?
I am struggling with a certain project where a kerio winroute software firewall needs to be replaced by a hardware router/firewall.
The purchased hardware is a 2901 with K9 firewalling license pack (no experience on cisco routers).
It is just routing/blocking traffic between a production LAN and an Office LAN. Only 2 ports exists on the device (old and new).
The problem seems to be that on the kerio software, there are "policies" to do this, and each policy can be set with
- NAT (when required)
- no NAT (when that server is not supporting NAT to a client)
Name - Source - Destination - Service - Action - Log - TRANSLATION
But when we configure the 2901 (Cisco Configuration Professional), it seems that an interface is always with NAT or just without NAT.
I seem not to be able to say that certain communication must use NAT and other communication must be routed without NAT.
when I ping from a certain IP WAN to LAN, on the old system, I get a reply from the IP in the LAN, as is expected with normal routing.
when I ping from the same IP WAN to LAN, on the new system, I get a reply from the WAN IP on the router, because the interface is configured as NAT (inside or outside).
So basically, from some WAN devices I want routing, but that same interface must also be able to have dynamic NAT connections to certain WAN IP's, and have Static NAT connections coming in from WAN to LAN (for example for VNC mapping).
Before I post the router scripts, is the above screenshot something that is even possible with the 2901 K9 router? Or is this only possible with this software firewall?
On a Cisco router you can enable an interface for NAT and still route packets over it without translating any addresses. Just enabling NAT doesn't do much unless you have a translation rule configured. So in your setup you can configure the LAN facing interface as NAT inside and the WAN facing interface as NAT outside and then you have the flexibility of specifying which communication will have addresses translated by configuring translation rules (e.g. this inside range will have the source IP translated to that outside IP, etc.). Traffic not matching any translation rule will not be influenced by NAT.
Traffic filtering then can be accomplished by simple access-lists applied either inbound or outbound to routers interfaces, or by a zone-based firewall configuration where you assign interfaces into zones and create security policies for traffic passing between zones.
Hello All, We have Cisco 5545-x & we running SSLVPN anyconnect. when we do tracert 1st hop is showing public of outside interface. we have configure tunnel route toward inside. but when do same think form other firewall it show next hope of ...
Cisco SD-WAN Cloud OnRamp allows you to simplify and secure connectivity to cloud applications and public clouds. Interested in testing out the latest Cisco Cloud OnRamp solutions?
Sign up to try out various use cases with the Cisco SD-WAN Cloud ...
“Use Serviceability Features to Troubleshoot your Cat9K as a Cisco TAC Engineer”
This special event is open only to Cisco Customers and Partners.
Many pages in the Cisco Community are accessible only to Cisco customers, partners, or logged in ...
Cisco Champion Radio · S7|E40 From SD-WAN to SASE: Speed Up and Secure SaaS Internet Apps
The changing global environment has transformed how enterprise users connect to applications. The SASE architecture delivers important networking and securit...
Hi guys,Have a question regarding spanning tree and way its supposed to work when there is a redundant path in fiber daisy-chained switches. Root switch for all vlans is connected via fiber link to the first of the daisy-chained switches. Below is same co...