Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
3
Replies

NAT/PAT solution in Cisco 515e firewall

c1scouser
Level 1
Level 1

‎02-02-2010 11:00 AM - edited ‎03-11-2019 10:04 AM

My internal IP address range is due to be changed from 172.x.x.x net to 10.x.x.x net in March, in which not enough time to migrate my systems and access. Is there a NAT/PAT solution in which requests to internal hosts can be translated to 10.x.x.x host? I want to leave my internal network with 172.x.x..x but also I want the outside world to contact my network as 10.x.x.x network, also outside network and hosts should be able at the same time contact my network as 172.x.x.x. along with 10.x.x..x net

Thanks

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎02-02-2010 01:48 PM

Hello Raed

How is your WAN setup ? Is there a router terminating the connection and then forwards the traffic to this firewall ? or is the connection directly onto the firewall ? if there is a router, then yes, you can forward the traffic onto NATted/PATed IP addresses (incase these are not overlapping anywhere on your network)..

make sure you document all traffic which enters and exits your netework... Incase of desktops which would just have outbound connection, you can PAT the 172.x.x.x network to 10.x.x.x IP address and route them across.. this is the case ONLY when these PCs have just outbound connections.. if you need to manage these PCs inbound directly on IP, then you would have issues with PAT.. you should then do a one-to-one NAT which can become a bit difficult, depending on the number of PCs on your network..

For Server and printers which would be accessed from outside (traffic both ways) , you can define static One-on-one NAT rules.. you can define a static with 172.x.x.x local and 10.x.x.x global, so that the server can go out to your WAN, and also traffic from outside can come in.. it all depends on your network layout...

One big advantage of NATting this way, is your existing routing information stays, and you just need to add small static routes for your 10.x.x.x network on the external router.. if you readdress whole LAN, you might have to change routing both internal and external..

Hope this helps.. all the best...


Raj

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to sachinraja

‎02-02-2010 05:38 PM

You would like the outside hosts to talk to the inside hosts using their 172.x.x.x as well as 10.x.x.x?? This may be possible only when you know which outside hosts or network will try to address them as 172.x.x.x.

You can use nat exemtion if they need to be access using their real IPs and you can do static 1-1 (172.x.x.x to 10.x.x.x) if they try to access them via the translated address.

example:

nat (inside) 0 access-l no-nat

access-list no nat permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 10.0.0.0 172.0.0.0 net 255.0.0.0

nat 0 with acl takes precedence and is bi-directional just like the static.

-KS

0 Helpful

c1scouser
Level 1
Level 1
In response to sachinraja

‎02-03-2010 08:11 AM

I only have few servers to communicate that way and yes there is a router behind the firewall handling the routing of 10.x.x..x network.

I only want to make the change in my firewall in which as you mentioned static one-on-one , for example:

static(local global) 172.x.x.2 10.x.x.2 255.255.255.255 and that goes for each server. Is this all I need to add to my firewall to get this NAT in place?

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card