01-21-2010 12:54 PM - edited 03-11-2019 10:00 AM
Hi,
I have the following situation:
server on inside with 192.168.1.1 address
outside nat address x.x.x.1
this is currently working correctly with static nat
we require to have a policy nat where we can nat outside address x.x.x.1 to a second server 192.168.1.2 based on if the source is a specifc host/network
Connections are always initiated from outside (public facing web server for example).
I have been unable to identify a means of achieving this with policy nat, we can successully nat the inside hosts to different outside addresses based on the policy access lists but we are unable to nat an outside address to multiple inside addresses.
any ideas?
01-21-2010 08:51 PM
Hello,
So you need to MAP one public IP to multiple internal servers depending upon the source (external). You need a policy as follows :
if two different hosts (x.x.x.x and y.y.y.y) on outside world would like to access TWO different servers (192.168.1.1 and 192.168.1.2) on inside using same public IP (160.1.1.2) respectively.
access-list policy extended permit ip host x.x.x.x 192.168.1.1 --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2
access-list policy extended permit ip host y.y.y.y 192.168.1.2 --> y.y.y.y will be able to access server at 192.168.1.2 using 160.1.1.2
static (inside,outside) 160.1.1.2 access-list policy
HTH
Vijaya
01-21-2010 11:04 PM
Hi,
thanks fot he answer, you've understood exactly what I need with just a slight variation:
access-list policy extended permit ip host x.x.x.x 192.168.1.1 --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2
access-list policy extended permit ip ANY 192.168.1.2 --> ANY OTHER ADDRESS will be able to access server at 192.168.1.2 using 160.1.1.2
I'll test the above later on but from what I gather I won't be able to use ANY as a source address - ie I want only specific addresses to go to 192.168.1.1 and all others to go to 192.168.1.2
do you think this will work?
thanks
01-22-2010 10:57 AM
Hello,
You can try :
access-list policy extended permit ip host x.x.x.x host 192.168.1.1
access-list policy extended permit ip host y.y.y.y host 192.168.1.1
static (in,out)
static (in,out)
Now, since the POLICY STATIC has higher preference than normal STATIC, so your specific uers (x.x.x.x and y.y.y.y) will go to internal server
at 192.168.1.1 using
WHILE on the other hand, rest all users will go to internal server at 192.168.1.2 using same
Try this and let me know how it goes..
Vijaya
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: