Static NAT

Answered Question
Jan 23rd, 2009

I need to have 2 static NAT statements to one inside IP address for FTP on a 6500. Is this possible? If so, what is the command syntax?

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 10 months ago

A route-map allows you to do policy NAT. Policy NAT gives you the ability in your case, to define the NAT based on the source IP addresses accessing the FTP server.

So if one set of source IP addresses needed to access the FTP server on one public IP and another set of source addresses (totally different source IP's) needed to access the FTP server on the other one then you could do it.

So are the source IP addresses like this or could it be any source IP address accessing either public IP address, in which case you can't do it.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tshi M Fri, 01/23/2009 - 12:21

I assume you are talking about static natting in your firewall. If so, you cannot PAT the same port to the same address.

regards,

Jon Marshall Fri, 01/23/2009 - 12:59

Mike

You can't NAT two IP addresses to the same private IP address on the same port because the switch has no way of knowing which private to public IP address you want to use - remember static NAT is bi-directional so if a connection was initiated from the private address how would the switch know which public IP address to map it to.

Jon

mikepinto Fri, 01/23/2009 - 13:13

Seperate ports on the 6500. Eg.

Port 1 --- Outside network

Port 2 --- Different outside network

Port 3 --- Inside network

Jon Marshall Fri, 01/23/2009 - 13:14

Sorry Mike i'm a bit confused. When i talked about ports i meant TCP ports not physical switch ports. Are you talking about physical switch ports ?

Jon

mikepinto Fri, 01/23/2009 - 13:24

Well, both. They both have to be NATed to an internal FTP server. So outside FTP 1 (X.X.X.X) and outside FTP 2 (Y.Y.Y.Y) both need to go to inside FTP address (Z.Z.Z.Z). So I see that there is a route-map available on the static nat commands. Was hoping this was the way to do it, if any.

Correct Answer
Jon Marshall Fri, 01/23/2009 - 13:34

A route-map allows you to do policy NAT. Policy NAT gives you the ability in your case, to define the NAT based on the source IP addresses accessing the FTP server.

So if one set of source IP addresses needed to access the FTP server on one public IP and another set of source addresses (totally different source IP's) needed to access the FTP server on the other one then you could do it.

So are the source IP addresses like this or could it be any source IP address accessing either public IP address, in which case you can't do it.

Jon

mikepinto Fri, 01/23/2009 - 14:04

Jon,

That is what I am trying to do. It is not any source IP addresses, it is specific ones (from seperate networks) trying to get to the same FTP server. I just don't know the syntax on the 6500. I have only done it on ASA.

Mike

Actions

This Discussion