Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
3
Helpful
5
Replies

Static Nat

wasiimcisco
Level 1
Level 1

‎07-17-2008 01:40 PM

I have two users subnets and both are located inside interface of firewall. and Server is located in dmz.

Right now this server 172.28.35.28 is available for everyone on 172.28.98.28. I m achieving this by

static(inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255

But now few applications in 172.28.31.0 subnet are having problem they want to access this server on real IP.I can achieve this by doing

static(inside,edn) 172.28.35.28 172.28.35.28 netmask 255.255.255.255

But i want such nat policy that only when user in 172.28.31.0 subnets access this server only real Ip and at the same time this server also available for other users on 172.28.98.28 Ip address.

But problem is that only one static command is working. how can i have achieve my goal.

Labels:
0 Helpful
5 Replies 5

5220
Level 4
Level 4

‎07-17-2008 11:42 PM

You can achieve this with NAT 0 (no nat)

nat (inside) 0 access-list NAT0

access-list NAT0 permit 172.28.31.0 255.255.255.0 host 172.28.35.28

NAT 0 takes precedence over static, and with the access-list you have your own policy-based NAT.

Please rate if this helped.

Regards,

Daniel

wasiimcisco
Level 1
Level 1
In response to 5220

‎07-18-2008 01:28 AM

Thanks for the reply but still the problem is there.

access-list nonat extended permit ip host 172.28.92.72 host 172.28.35.28

nat (edn) 0 access-list nonat

static (inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255

user 172.28.92.72 is coming from Edn interface and access the server located in inside network.

but still user 172.28.92.72 is able to only access this server on natted ip not on real IP.

0 Helpful

5220
Level 4
Level 4
In response to wasiimcisco

‎07-18-2008 01:55 AM

Hi,

This is beacause the inside interface has a higher security level than Edn.

use: nat (edn) 0 access-list nonat outside

Please rate if this helped.

Regards,

Daniel

0 Helpful

wasiimcisco
Level 1
Level 1
In response to 5220

‎07-19-2008 11:55 AM

not working.see the attachement for network diagram. User from 192.168.1.0 subnet wants to access application server on 172.28.98.28 IP address and users on subnet 172.28.92.0 subnet wants to access this application server on 172.28.33.28, which is orignial Ip address.

Server is located on inside interface and users subnets are located on lower secuirty level.

right now users are accessing it following configuration

static (inside,edn) 172.28.98.28 172.28.35.28 netmask 255.255.255.255

Preview file
22 KB
0 Helpful

5220
Level 4
Level 4
In response to wasiimcisco

‎07-20-2008 05:05 AM

Hi,

Ok, i got it now:

access-list NAT-Server permit ip host 172.28.98.28 172.28.92.0 255.255.255.0

static (end, inside) 172.28.35.28 access-list NAT-Server

access-list noNAT-Server permit ip host 172.28.98.28 192.168.1.0 255.255.255.0

static (end, inside) 172.28.98.28 access-list noNAT-Server

Please rate if this helped.

Regards,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents