03-14-2010 10:21 PM - edited 03-11-2019 10:21 AM
Hello,
I have a host that is on the inside of a virtual context and I need to do the following:
for only UDP SNMP response traffic, use a specific IP RFC 1918 address on the outside interface of the context.
for all other traffic, use the existing PAT internet-routable address on the outside interface of the context.
the primary reason for this setup is because public addresses are limited and I don't want to use straight PAT translation because my monitoring host will consider all of the hosts behind a context as a single host.
Thanks,
Rob.
Solved! Go to Solution.
03-14-2010 10:37 PM
Maybe you can try Policy NAT.
But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.
I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.
03-14-2010 10:37 PM
Maybe you can try Policy NAT.
But if the packet will be sent to internet, it might be dropped if its source IP is a private IP.
I would like to suggest you to setup a vpn tunnel so that you can keep using the private IP.
03-15-2010 04:13 PM
Yes, I can actually use dynamic PAT policy. I will need to do more thorough testing, but this seems to be the right way to go. The only problem is that this will always be overriden by a static nat entry, so we will have to be careful how this is maintained.
Thank you,
Rob.
03-15-2010 08:25 PM
Couldn't you do nat 0 with an acl and then nat/global?
nat (inside) 0 access-l snmp-traffic
in the acl only allow the traffic desinted to the snmp server on the outside (this acl cannot contain ports or protocols only permit or deny IP)
then for the rest of the internet traffic you can use nat/global or static.
-KS
03-15-2010 11:10 PM
the problem with the nat 0 is that I don't want to expose the internal addresses either.
one problem that I discovered with dynamic PAT policy is that I cannot translate icmp traffic... that is a problem because my monitoring software will not proceed unless it can ping.. grr!
here is the scenario, if anyone cares to take a shot at it:
monitoring context = private lan, 10.1.1.0/24, external public address of 4.4.4.7/24 - global (outside) 1 interface
client context = private lan, 10.2.2.0/24, external public address of 4.4.4.8/24 - global (outside) 1 interface
monitoring host = 10.1.1.20/24
client host = 10.2.2.20/24
I want to S-NAT all outbound monitoring traffic (ping, http(s), snmp, wmi, etc) with 10.255.255.20/24
I want to D-NAT the monitored host with 10.130.2.20
Yes, there are 2 NAT operations to mask the 2 subnets involved. I have specific reasons for this configuration (overlapping subnets to mention one of them), but need to be able to do it for each client context.
on the client side, for all traffic that is NOT monitor-specific (snmp reply, echo-reply, wmi-reply, etc.) to that specific host (10.255.255.20), I want to use the global 1.
Make sense?
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: