02-05-2009 09:21 AM - edited 03-11-2019 07:46 AM
Want to say thanks in advance -thanks.
I'm trying to allow access from my guest network (inside-guest) to particular servers on my inside network. The guest network is using 192.168 network.
I'm getting the error below.
--Config already in place---
static (inside,outside) x.X.X.4 10.1.20.22 netmask 255.255.255.255
static (inside,outside) tcp x.X.X.6 www 10.1.22.1 www netmask 255.255.255.255
static (inside,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255
--Config I want to add---
static (inside-guest,outside) tcp X.X.X.4 www 10.1.20.22 www netmask 255.255.255.255
static (inside-guest,outside) tcp X.X.X.6 www 10.1.22.1 www netmask 255.255.255.255
static (inside-guest,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255
WARNING: mapped-address conflict with existing static
inside:10.1.20.22 to outside:X.X.X.4 netmask 255.255.255.255
From my understanding you can't have to static entries for the same ip address and port numbers.
What would be another solution around this? Maybe creating an Object-Group that allow only the ports
I need and applying it and to the inside-guest interface? Hmmm
02-05-2009 10:24 AM
Are the servers on the inside network? According to your config, you have 3 servers on your inside network, and that is the 10.1.20.0 network. The config that you want to add is mapping between inside-guest and outside, when it looks like it should be inside-network and inside. If that is the case, you could exclude that traffic from being NATed altogether and use ACLs to restrict traffic.
HTH,
Paul
edit - I just saw that your inside-guest network is 192.168.x.x, so, use a nat(0) statement to exclude traffic from this network going toward your inside network from being natted, and use acls to restrict traffict to those servers.
02-05-2009 10:29 AM
access-list 100 extended permit tcp 192.168.x.y 255.255.255.0 host 10.1.20.x eq www
etc...
nat (inside-guest) 0 access-list 100
02-05-2009 10:36 AM
Ahh, This is what I have now.
global (outside) 1 x.x.x.5
nat (inside-guest) 1 192.168.100.0 255.255.255.0
02-05-2009 10:41 AM
That should stay in place. That allows all addresses from your inside-guest network to be PATed to your external interface address, thus allowing internet access. Just add the nat(0) command from above to exclude traffic from being NATed when going to the Inside network.
HTH,
Paul
02-05-2009 01:56 PM
nat (inside) 0 access-list 90
access-list 90 extended permit ip any 192.168.0.0 255.255.0.0
this is the one i have now, would it do the same???
02-05-2009 02:10 PM
That access-list will allow trafic to go un-NATed from your inside network to your inside-guest network. The one I posted earlier is also necessary, as this will allow traffic sourced from your inside-guest network to bypass NAT and go to the servers on your inside network.
If the users on the inside-guest network are to only access the 3 servers that you had mentioned, you will need three lines in your ACL - One for each server.
HTH,
Paul
02-05-2009 02:36 PM
I got it, thanks to you!!! I've been busting my brains with the nat 0 command all day and it only sends the real ip address i.e 192.168.100.X to a server's real ip address 10.1.20.X. No xlate is involved so - basically it simulates a router with an s0/0/0(public) interface that needs to pass traffic to F0/0(pvt) interface by using static routes and ACLs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: