07-17-2008 01:40 PM
I have two users subnets and both are located inside interface of firewall. and Server is located in dmz.
Right now this server 172.28.35.28 is available for everyone on 172.28.98.28. I m achieving this by
static(inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255
But now few applications in 172.28.31.0 subnet are having problem they want to access this server on real IP.I can achieve this by doing
static(inside,edn) 172.28.35.28 172.28.35.28 netmask 255.255.255.255
But i want such nat policy that only when user in 172.28.31.0 subnets access this server only real Ip and at the same time this server also available for other users on 172.28.98.28 Ip address.
But problem is that only one static command is working. how can i have achieve my goal.
07-17-2008 11:42 PM
You can achieve this with NAT 0 (no nat)
nat (inside) 0 access-list NAT0
access-list NAT0 permit 172.28.31.0 255.255.255.0 host 172.28.35.28
NAT 0 takes precedence over static, and with the access-list you have your own policy-based NAT.
Please rate if this helped.
Regards,
Daniel
07-18-2008 01:28 AM
Thanks for the reply but still the problem is there.
access-list nonat extended permit ip host 172.28.92.72 host 172.28.35.28
nat (edn) 0 access-list nonat
static (inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255
user 172.28.92.72 is coming from Edn interface and access the server located in inside network.
but still user 172.28.92.72 is able to only access this server on natted ip not on real IP.
07-18-2008 01:55 AM
Hi,
This is beacause the inside interface has a higher security level than Edn.
use: nat (edn) 0 access-list nonat outside
Please rate if this helped.
Regards,
Daniel
07-19-2008 11:55 AM
not working.see the attachement for network diagram. User from 192.168.1.0 subnet wants to access application server on 172.28.98.28 IP address and users on subnet 172.28.92.0 subnet wants to access this application server on 172.28.33.28, which is orignial Ip address.
Server is located on inside interface and users subnets are located on lower secuirty level.
right now users are accessing it following configuration
static (inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255
07-20-2008 05:05 AM
Hi,
Ok, i got it now:
access-list NAT-Server permit ip host 172.28.98.28 172.28.92.0 255.255.255.0
static (end, inside) 172.28.35.28 access-list NAT-Server
access-list noNAT-Server permit ip host 172.28.98.28 192.168.1.0 255.255.255.0
static (end, inside) 172.28.98.28 access-list noNAT-Server
Please rate if this helped.
Regards,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide