nat based on outside source

Unanswered Question
Jan 21st, 2010
User Badges:

Hi,

I have the following situation:

server on inside with 192.168.1.1 address

outside nat address x.x.x.1


this is currently working correctly with static nat


we require to have a policy nat where we can nat outside address x.x.x.1 to a second server 192.168.1.2 based on if the source is a specifc host/network


Connections are always initiated from outside (public facing web server for example).


I have been unable to identify a means of achieving this with policy nat, we can successully nat the inside hosts to different outside addresses based on the policy access lists but we are unable to nat an outside address to multiple inside addresses.


any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vilaxmi Thu, 01/21/2010 - 20:51
User Badges:
  • Cisco Employee,

Hello,


So you need to MAP one public IP to multiple internal servers depending upon the source (external). You need a policy as follows :


if two different hosts (x.x.x.x and y.y.y.y) on outside world would like to access TWO different servers (192.168.1.1 and 192.168.1.2) on inside using same public IP (160.1.1.2) respectively.


access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip host y.y.y.y 192.168.1.2   --> y.y.y.y will be able to access server at 192.168.1.2 using 160.1.1.2


static (inside,outside) 160.1.1.2 access-list policy


HTH


Vijaya

g_mcco Thu, 01/21/2010 - 23:04
User Badges:

Hi,

thanks fot he answer, you've understood exactly what I need with just a slight variation:


access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip ANY 192.168.1.2   --> ANY OTHER ADDRESS will be able to access server at 192.168.1.2 using 160.1.1.2


I'll test the above later on but from what I gather I won't be able to use ANY as a source address - ie I want only specific addresses to go to 192.168.1.1 and all others to go to 192.168.1.2


do you think this will work?


thanks

vilaxmi Fri, 01/22/2010 - 10:57
User Badges:
  • Cisco Employee,

Hello,


You can try :


access-list policy extended permit ip host x.x.x.x host 192.168.1.1

access-list policy extended permit ip host y.y.y.y host 192.168.1.1

static (in,out) access-list policy


static (in,out) 192.168.1.2 netmask 255.255.255.255


Now, since the POLICY STATIC has higher preference than normal STATIC, so your specific uers (x.x.x.x and y.y.y.y) will go to internal server


at 192.168.1.1 using


WHILE on the other hand, rest all users will go to  internal server at 192.168.1.2 using  same


Try this and let me know how it goes..


Vijaya

Actions

This Discussion

Related Content