Firewall NAT

Unanswered Question
Oct 28th, 2009

I'm trying to do some natting. My intention is to NAT a public address space ( /25) subnet to a single address on my private network ( /32).

the intent is to get the servers in the private subnet (VLAN'd) to respond to ANY server in the public subnet on the natted 192 address.

I'm thinking I can do this with the following config:

static (outside,inside) <> <> netmask

but, i'm not sure that it will NAT ANY address in the /25 subnet..

Any insight would be helpful...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Collin Clark Wed, 10/28/2009 - 14:08

If I understand your requirements correctly, it is not possible. How would the NAT address know what IP to go to on the inside?

Bruce Summers Wed, 10/28/2009 - 14:16

the source subnet (VLAN) is direct connect to the firewall as is the destination subnet (VLAN). I'm thinking, for example:

server A; executes a packet destined for the network, it gets NAT'd to,

a route on the firewall to the 192 subnet (also connected VLAN) routes the traffic to the interface for the 192 address space..


Collin Clark Wed, 10/28/2009 - 14:26

So are you looking to not NAT? If sends a message to, it does not need to NAT. There is no tranlsation between the subnets. If you wanted to NAT, let's use the subnet of, the server would message, which in turn would be NAT'd to Hope that make sense.

Bruce Summers Wed, 10/28/2009 - 14:34


the intent is to get the (and any other server in that /25 subnet) to the /24 to give the appearance that all traffic from the 10.1.17 is being sourced as

does that make better sense...maybe i didnt explain it correctly

Bruce Summers Wed, 10/28/2009 - 15:01

sorry, after rereading this, i needed to clarify.

"to give the appearce that all traffic from the /25 is being sourced as host address"

I'm not even sure that it can be done...

i want the hosts in the /24 to ALWAYS talk back to which NATs to ANY /25...

does that make sense??

Jerry Ye Wed, 10/28/2009 - 15:42

I think this is your traffic flow

Outside ( -> Inside (

But Inside sees Outside network as Am I correct?

If yes, then you can do policy NAT

access-list NET10-1-1-0 extended permit ip host

static (outside,inside) access-list NET10-1-1-0

But the will not be a /24, it will match the source on the ACL to be a /25.



Bruce Summers Wed, 10/28/2009 - 16:54

we got it...

we set the following

global 1 interface

nat 1 access-list

BAM worked like a champ...

thanks for all the responses


This Discussion