Dynamic & Static NAT

Unanswered Question
Aug 31st, 2007

Hello

Can anyone help me understand if it is possible to have NAT pools that NAT Inside Local addresses to Inside Global addresses, plus static entries that NAT static Inside Local addresses to a static Inside Global addresses?

I have a app server on a clients network that requires my private addressing to be natted to their private addressing. This is done via a NAT pool. At the same time i have another app server on the same clients network that requires a static 1-2-1 NAT entry as it has to initiate a connection back into the host.

My issue is that the static entry seems to work but it breaks the dynamic NAT as the host is always getting natted to the static address for the 2nd app server, rather than use the pool.

Can anyone advise?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 08/31/2007 - 04:28

Hi Jeremy

Can you post your nat configuration plus the IP address details of the app servers and any other IP details that are relevant ?

Jon

jeremyshort Fri, 08/31/2007 - 05:36

Here are the relevant parts, ive changed the IP addressing slightly for protection.

ip nat pool APP-PROD-POOL 10.10.2.2 10.10.10.2 prefix-length 24

ip nat pool APP1-PROD-POOL 10.10.2.11 10.10.2.27 prefix-length 24

ip nat inside source route-map APP-PROD-NAT pool APP-PROD-POOL overload

ip nat inside source route-map APP1-PROD-NAT pool APP1-PROD-POOL overload

!

ip nat inside source static 192.20.10.205 10.10.2.28

!

access-list 101 remark APP-PROD-NAT

access-list 101 permit ip 192.20.0.0 0.0.255.255 host 192.110.100.74

access-list 102 remark APP1-PROD-NAT

access-list 102 permit ip 192.20.0 0.0.255.255 host 172.11.1.22

access-list 102 permit ip 192.20.0 0.0.255.255 host 192.110.100.143

!

route-map APP-PROD-NAT permit 10

match ip address 101

!

route-map APP1-PROD-NAT permit 10

match ip address 102

Jon Marshall Sun, 09/02/2007 - 23:19

Sorry Jeremy, should have got back sooner.

I'm at work so i can have a look at this in lab if needed. Just for clarity can you give examples with IP addresses as to what is happening ie.

source IP - destination IP - Natted IP for both servers.

Jon

jeremyshort Sun, 09/02/2007 - 23:55

Hi Jon

192.168.0.0 - is our internal private addressing

10.10.2.0 - is the customers addresses that we NAT to/behind.

The customer then allows their address range 10.10.2.0 connections to their FTP/App servers which are

192.110.100.74

172.11.1.22

192.110.100.143

The problem i have is that i need to have a static 1-2-1 host NAT entry to get a call recording solution to work (Witness). But with this static 1-2-1 entry i also need the host to access the FTP/App servers which have NAT pools. I cant get the host to use the pools if i define the static 1-2-1?

Jon Marshall Mon, 09/03/2007 - 06:07

Jeremy

Apologies, i have been trying to get round to this all day but have been very busy.

Could you just try one quick thing before i dive into the lab

change line

ip nat inside source static 192.20.10.205 10.10.2.28

to

ip nat inside source static 192.20.10.205 10.10.2.28 extendable

Jon

jeremyshort Wed, 09/05/2007 - 03:36

Hi Jon

Many thanks for your reply

I have been unable to do the change that you requested at the moment as this is a prod router and i cant get any down time.

Ill have a change in for tonioght so i can give it a go then.

Ill let you know once what the outcome is.

Actions

This Discussion