cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
4
Replies

can I use both static and dynamic nat AND public/private addresses for the same inside host?

robdog01
Level 1
Level 1

Hello,

I have a host that is on the inside of a virtual context and I need to do the following:

for only UDP SNMP response traffic, use a specific IP RFC 1918 address on the outside interface of the context.

for all other traffic, use the existing PAT internet-routable address on the outside interface of the context.

the primary reason for this setup is because public addresses are limited  and I don't want to use straight PAT translation because my monitoring host will consider all of the hosts behind a context as a single host.

Thanks,

Rob.

1 Accepted Solution

Accepted Solutions

Yudong Wu
Level 7
Level 7

Maybe you can try Policy NAT.

But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.

I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.

View solution in original post

4 Replies 4

Yudong Wu
Level 7
Level 7

Maybe you can try Policy NAT.

But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.

I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.

Yes, I can actually use dynamic PAT policy.  I will need to do more thorough testing, but this seems to be the right way to go.  The only problem is that this will always be overriden by a static nat entry, so we will have to be careful how this is maintained.

Thank you,

Rob.

Couldn't you do nat 0 with an acl and then nat/global?

nat (inside) 0 access-l snmp-traffic

in the acl only allow the traffic desinted to the snmp server on the outside (this acl cannot contain ports or protocols only permit or deny IP)

then for the rest of the internet traffic you can use nat/global or static.

-KS

the problem with the nat 0 is that I don't want to expose the internal addresses either.

one problem that I discovered with dynamic PAT policy is that I cannot translate icmp traffic... that is a problem because my monitoring software will not proceed unless it can ping.. grr!

here is the scenario, if anyone cares to take a shot at it:

monitoring context = private lan, 10.1.1.0/24, external public address of 4.4.4.7/24  - global (outside) 1 interface

client context = private lan, 10.2.2.0/24, external public address of 4.4.4.8/24 - global (outside) 1 interface

monitoring host = 10.1.1.20/24

client host = 10.2.2.20/24

I want to S-NAT all outbound monitoring traffic (ping, http(s), snmp, wmi, etc) with 10.255.255.20/24

I want to D-NAT the monitored host with 10.130.2.20

Yes, there are 2 NAT operations to mask the 2 subnets involved.  I have specific reasons for this configuration (overlapping subnets to mention one of them), but need to be able to do it for each client context.

on the client side, for all traffic that is NOT monitor-specific (snmp reply, echo-reply, wmi-reply, etc.) to that specific host (10.255.255.20), I want to use the global 1.

Make sense?

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: