I was thinking along those lines,  Any example of Policy based natting?

Local Support not natted (exclept to test with some host) and remote user always using the NAT.

This is just a static tcp nat.

ip nat inside soure stat tcp INSIDEADDRESS 443 OUTSIDEADDRESS 443

Take a look at Policy NAT and let us know if you need help:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Federico.

It is a 6500 with Sup720 do the natting with vlans, the firewalls are not ASA.

Any example of policy based routing with Cisco Native IOS?

Ok, so there's no FWSM on the 6500, is just IOS.

In that case, you can check IOS NAT information here:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051153

Most likely what you're looking for is to be able to NAT not only based on source but based on destination as well?

Regular NAT on IOS use a configuration like this:

ip nat inside source route-map NAT interface Fast0/0 overload

route-map NAT

match ip address 199

set ip next-hop x.x.x.x

ip access-list extended 199 permit ip 10.0.0.0 0.0.0.255 any

The above configuration, translates the 10.0.0.0/24 to the outside interface IP (PAT) when going to the Internet.

The same concept can apply to inbound traffic as well.

You can also put condition on NAT binding a route-map to a STATIC NAT statement for example.

Let us know how does it goes...

Federico.

I can either static nat or use non-natted address, but I would like some local people(test) to get to non-natted address.  At least one local box be able to get to the natted for test, but when I static nat the nat works locally and remotely, but when I go to the non-natted address(of the natted address) the return traffic to the Sun box doing a dump, reports the the ip it being natted back to the natted address.

Out

If on the 6500 you create a static NAT, i.e.
ip nat inside source static 1.1.1.1 2.2.2.2
This means that from the outside, you can access 2.2.2.2 and from the inside can access 1.1.1.1

If the IP addresses behind the 6500 are public or routable addresses, you can access them without NAT.

The problem is that if you create a STATIC NAT like the one above, you are defining that the device will be seen with the public
IP from the outside and with the private IP from the inside.

If you want the STATIC NAT and modify this behavior, you bind a route-map to the STATIC NAT.
In this way you define when does the STATIC NAT takes place and when not.
Is this what you're looking for?

Federico.

The network that is not-natted is not know outside the local network(routes from the 6500 to Firewall.

But I have testers that don't want to change there test procedures.  If do a static nat:

ip nat inside source static 2.2.2.1 443 3.3.3.1 443.

The 3.3.3.1 works fine from outside the network and locally.

But when I try to access 2.2.2.1 from local servers response traffic is from 2.2.2.1(Sun snoop) gets natted to 3.3.3.1.

Will a static nat bound to route-policy work for this?  Can you give me an example with this scenario?