can I use both static and dynamic nat AND public/private addresses for the same inside host?

Answered Question
Mar 14th, 2010

Hello,

I have a host that is on the inside of a virtual context and I need to do the following:

for only UDP SNMP response traffic, use a specific IP RFC 1918 address on the outside interface of the context.

for all other traffic, use the existing PAT internet-routable address on the outside interface of the context.

the primary reason for this setup is because public addresses are limited  and I don't want to use straight PAT translation because my monitoring host will consider all of the hosts behind a context as a single host.

Thanks,

Rob.

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 8 months ago

Maybe you can try Policy NAT.

But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.

I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Sun, 03/14/2010 - 22:37

Maybe you can try Policy NAT.

But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.

I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.

robdog01 Mon, 03/15/2010 - 16:13

Yes, I can actually use dynamic PAT policy.  I will need to do more thorough testing, but this seems to be the right way to go.  The only problem is that this will always be overriden by a static nat entry, so we will have to be careful how this is maintained.

Thank you,

Rob.

Kureli Sankar Mon, 03/15/2010 - 20:25

Couldn't you do nat 0 with an acl and then nat/global?

nat (inside) 0 access-l snmp-traffic

in the acl only allow the traffic desinted to the snmp server on the outside (this acl cannot contain ports or protocols only permit or deny IP)

then for the rest of the internet traffic you can use nat/global or static.

-KS

robdog01 Mon, 03/15/2010 - 23:10

the problem with the nat 0 is that I don't want to expose the internal addresses either.

one problem that I discovered with dynamic PAT policy is that I cannot translate icmp traffic... that is a problem because my monitoring software will not proceed unless it can ping.. grr!

here is the scenario, if anyone cares to take a shot at it:

monitoring context = private lan, 10.1.1.0/24, external public address of 4.4.4.7/24  - global (outside) 1 interface

client context = private lan, 10.2.2.0/24, external public address of 4.4.4.8/24 - global (outside) 1 interface

monitoring host = 10.1.1.20/24

client host = 10.2.2.20/24

I want to S-NAT all outbound monitoring traffic (ping, http(s), snmp, wmi, etc) with 10.255.255.20/24

I want to D-NAT the monitored host with 10.130.2.20

Yes, there are 2 NAT operations to mask the 2 subnets involved.  I have specific reasons for this configuration (overlapping subnets to mention one of them), but need to be able to do it for each client context.

on the client side, for all traffic that is NOT monitor-specific (snmp reply, echo-reply, wmi-reply, etc.) to that specific host (10.255.255.20), I want to use the global 1.

Make sense?

Thanks!

Actions

This Discussion