Solved: Re: Static NAT

mikepinto · ‎01-23-2009

I need to have 2 static NAT statements to one inside IP address for FTP on a 6500. Is this possible? If so, what is the command syntax?

Thanks.

Jon Marshall · ‎01-23-2009

A route-map allows you to do policy NAT. Policy NAT gives you the ability in your case, to define the NAT based on the source IP addresses accessing the FTP server.

So if one set of source IP addresses needed to access the FTP server on one public IP and another set of source addresses (totally different source IP's) needed to access the FTP server on the other one then you could do it.

So are the source IP addresses like this or could it be any source IP address accessing either public IP address, in which case you can't do it.

Jon

View solution in original post

Tshi M · ‎01-23-2009

I assume you are talking about static natting in your firewall. If so, you cannot PAT the same port to the same address.

regards,

mikepinto · ‎01-23-2009

I am talking about static NAT in a 6500 switch.

Jon Marshall · ‎01-23-2009

Mike

You can't NAT two IP addresses to the same private IP address on the same port because the switch has no way of knowing which private to public IP address you want to use - remember static NAT is bi-directional so if a connection was initiated from the private address how would the switch know which public IP address to map it to.

Jon

mikepinto · ‎01-23-2009

Seperate ports on the 6500. Eg.

Port 1 --- Outside network

Port 2 --- Different outside network

Port 3 --- Inside network

Jon Marshall · ‎01-23-2009

Sorry Mike i'm a bit confused. When i talked about ports i meant TCP ports not physical switch ports. Are you talking about physical switch ports ?

Jon

mikepinto · ‎01-23-2009

Well, both. They both have to be NATed to an internal FTP server. So outside FTP 1 (X.X.X.X) and outside FTP 2 (Y.Y.Y.Y) both need to go to inside FTP address (Z.Z.Z.Z). So I see that there is a route-map available on the static nat commands. Was hoping this was the way to do it, if any.

Jon Marshall · ‎01-23-2009

A route-map allows you to do policy NAT. Policy NAT gives you the ability in your case, to define the NAT based on the source IP addresses accessing the FTP server.

So if one set of source IP addresses needed to access the FTP server on one public IP and another set of source addresses (totally different source IP's) needed to access the FTP server on the other one then you could do it.

So are the source IP addresses like this or could it be any source IP address accessing either public IP address, in which case you can't do it.

Jon

mikepinto · ‎01-23-2009

Jon,

That is what I am trying to do. It is not any source IP addresses, it is specific ones (from seperate networks) trying to get to the same FTP server. I just don't know the syntax on the 6500. I have only done it on ASA.

Mike

mikepinto · ‎01-23-2009

Jon,

I found this document.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html#wp1024922

This is what I needed to do. Thanks for pointing me in the right direction.

Mike

Jon Marshall · ‎01-23-2009

Mike

Was just about to send you that link :-)

Thanks for the rating.

Jon

Tshi M · ‎01-23-2009

Mike,

Thanks for sharing the link.

Regars,

Tshi M · ‎01-23-2009

This applies to switches as well.