static nat identity and static map

Unanswered Question
Nov 29th, 2009
User Badges:

Hi all,


i've got a doubt....


i have to do nat identity for a /25 but 2 addresses of that /25 must be mapped:


ex


static (inside,outside) udp 1.1.1.1 53 2.2.2.1 53 netmask 255.255.255.255

static (inside,outside) udp 1.1.1.2 53 2.2.2.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0


i think will work even if i've got a WARNING message like

mapped-address conflict


if i perform a show xlate i can see before first 2 entries and then third one.


do you think i'll have any issue? may you know better or more elegant way to do this?


tnx


Dani

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
jan.nielsen Sun, 11/29/2009 - 12:21
User Badges:
  • Gold, 750 points or more

Should be ok, since the first two statics are more specific than the broad network static. If it doesn't work, you could try a policy static nat instead for the two ips.


access-list hosta permit ip host 2.2.2.1 any

access-list hostb permit ip host 2.2.2.2 any


static (inside,outside) 1.1.1.1 access-list hosta

static (inside,outside) 1.1.1.2 access-list hostb

danilodicesare Sun, 11/29/2009 - 12:39
User Badges:

tnx Jan,


maybe i was wrong before 'cause i wanna mean:



static (inside,outside) udp 2.2.2.1 53 1.1.1.1 53 netmask 255.255.255.255

static (inside,outside) udp 2.2.2.2 53 1.1.1.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0


of course your answer is the same ::)



access-list hosta permit ip host 1.1.1.1 any

access-list hostb permit ip host 1.1.1.2 any


static (inside,outside) 2.2.2.1 access-list hosta

static (inside,outside) 2.2.2.2 access-list hostb


but other question is....how can add those entries later.


so i've already got a command like


static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0


and i have to add more specific...do i need to do 'no static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0', add more specific entry and then add again less specific entry?


maybe there is a tricky NAT entry that i can add without removing temporarly other one.


tnx a lot


Dani

danilodicesare Sun, 11/29/2009 - 23:33
User Badges:

hi,


must be the right way....


so if i need inside to outside untranslated and outside to inside untranslated + some static mapping il'll do:


PIX1# show running-config nat
nat (inside) 0 access-list nat_exemption      --> i wanna inside host to communicate untranslated to external host
nat (outside) 0 access-list nat_exemption   --> i wanna outside world to communicate untranslated to internal host


PIX1# show running-config static
static (inside,outside) 7.7.7.7 2.2.2.1 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.1 with 7.7.7.7
static (inside,outside) 7.7.7.8 2.2.2.4 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.4 with 7.7.7.8


PIX1# show running-config access-list
access-list all extended permit ip any any
access-list nat_exemption extended deny ip host 2.2.2.4 any
access-list nat_exemption extended deny ip host 2.2.2.1 any
access-list nat_exemption extended permit ip 2.2.2.0 255.255.255.128 any


i think is the right solution right?


tnx


Dani

Kureli Sankar Mon, 11/30/2009 - 06:26
User Badges:
  • Cisco Employee,

Dani,

We don't translate the source from low to high so, there is no need for nat (outside) 0 access-list nat_exemption. Also, nat 0 with an acl applied on the inside will allow traffic to be initiated from the outside. It is bi-directional.


Yes, this is the best way.  The acl looks correct.


Good luck.


-KS

Actions

This Discussion