Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
3
Replies

nat based on outside source

g_mcco
Level 1
Level 1

‎01-21-2010 12:54 PM - edited ‎03-11-2019 10:00 AM

Hi,

I have the following situation:

server on inside with 192.168.1.1 address

outside nat address x.x.x.1

this is currently working correctly with static nat


we require to have a policy nat where we can nat outside address x.x.x.1 to a second server 192.168.1.2 based on if the source is a specifc host/network

Connections are always initiated from outside (public facing web server for example).

I have been unable to identify a means of achieving this with policy nat, we can successully nat the inside hosts to different outside addresses based on the policy access lists but we are unable to nat an outside address to multiple inside addresses.

any ideas?

Labels:
0 Helpful
3 Replies 3

vilaxmi
Cisco Employee
Cisco Employee

‎01-21-2010 08:51 PM

Hello,

So you need to MAP one public IP to multiple internal servers depending upon the source (external). You need a policy as follows :

if two different hosts (x.x.x.x and y.y.y.y) on outside world would like to access TWO different servers (192.168.1.1 and 192.168.1.2) on inside using same public IP (160.1.1.2) respectively.


access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip host y.y.y.y 192.168.1.2   --> y.y.y.y will be able to access server at 192.168.1.2 using 160.1.1.2

static (inside,outside) 160.1.1.2 access-list policy

HTH

Vijaya

0 Helpful

g_mcco
Level 1
Level 1
In response to vilaxmi

‎01-21-2010 11:04 PM

Hi,

thanks fot he answer, you've understood exactly what I need with just a slight variation:

access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip ANY 192.168.1.2   --> ANY OTHER ADDRESS will be able to access server at 192.168.1.2 using 160.1.1.2

I'll test the above later on but from what I gather I won't be able to use ANY as a source address - ie I want only specific addresses to go to 192.168.1.1 and all others to go to 192.168.1.2

do you think this will work?

thanks

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee
In response to g_mcco

‎01-22-2010 10:57 AM

Hello,

You can try :

access-list policy extended permit ip host x.x.x.x host 192.168.1.1

access-list policy extended permit ip host y.y.y.y host 192.168.1.1

static (in,out) access-list policy

static (in,out) 192.168.1.2 netmask 255.255.255.255

Now, since the POLICY STATIC has higher preference than normal STATIC, so your specific uers (x.x.x.x and y.y.y.y) will go to internal server

at 192.168.1.1 using

WHILE on the other hand, rest all users will go to  internal server at 192.168.1.2 using  same

Try this and let me know how it goes..

Vijaya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card