04-19-2010 03:36 PM - edited 03-06-2019 10:41 AM
I have a network with firewalls and support networks, but I would like to test external users with my support area, but do not want NAT everything.
Outside network --FW--(NAT Outside)Support Network(network 1.1.1.0/24 (NAT Inside) ->FW-->Router NAT
Support Servers 1.1.1.1.0/24 2.2.2.2
Support know network (3.3.3.0/24) 3.3.3.2---NATTed to -->2.2.2.2
All outside network would target 3.3.3.2. Support Network(DMZ) would be able to test both 3.3.3.2 and 2.2.2.2 network at the same time.
I have multple routers with this configuration. It works with one out of 4 interfaces.
Any help.
04-19-2010 03:44 PM
Hi,
Sounds like you need some kind of Policy NAT to be able to NAT traffic depending on where the traffic is coming and/or where it i s going? Is this correct?
Is this an IPsec L2L tunnel?
If so, between which devices?
Federico.
04-20-2010 04:52 AM
I was thinking along those lines, Any example of Policy based natting?
Local Support not natted (exclept to test with some host) and remote user always using the NAT.
This is just a static tcp nat.
ip nat inside soure stat tcp INSIDEADDRESS 443 OUTSIDEADDRESS 443
04-20-2010 12:59 PM
Take a look at Policy NAT and let us know if you need help:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419
Federico.
04-20-2010 01:40 PM
It is a 6500 with Sup720 do the natting with vlans, the firewalls are not ASA.
Any example of policy based routing with Cisco Native IOS?
04-20-2010 01:52 PM
Ok, so there's no FWSM on the 6500, is just IOS.
In that case, you can check IOS NAT information here:
Most likely what you're looking for is to be able to NAT not only based on source but based on destination as well?
Regular NAT on IOS use a configuration like this:
ip nat inside source route-map NAT interface Fast0/0 overload
route-map NAT
match ip address 199
set ip next-hop x.x.x.x
ip access-list extended 199 permit ip 10.0.0.0 0.0.0.255 any
The above configuration, translates the 10.0.0.0/24 to the outside interface IP (PAT) when going to the Internet.
The same concept can apply to inbound traffic as well.
You can also put condition on NAT binding a route-map to a STATIC NAT statement for example.
Let us know how does it goes...
Federico.
04-21-2010 07:53 AM
I can either static nat or use non-natted address, but I would like some local people(test) to get to non-natted address. At least one local box be able to get to the natted for test, but when I static nat the nat works locally and remotely, but when I go to the non-natted address(of the natted address) the return traffic to the Sun box doing a dump, reports the the ip it being natted back to the natted address.
Out
04-21-2010 10:53 AM
If on the 6500 you create a static NAT, i.e.
ip nat inside source static 1.1.1.1 2.2.2.2
This means that from the outside, you can access 2.2.2.2 and from the inside can access 1.1.1.1
If the IP addresses behind the 6500 are public or routable addresses, you can access them without NAT.
The problem is that if you create a STATIC NAT like the one above, you are defining that the device will be seen with the public
IP from the outside and with the private IP from the inside.
If you want the STATIC NAT and modify this behavior, you bind a route-map to the STATIC NAT.
In this way you define when does the STATIC NAT takes place and when not.
Is this what you're looking for?
Federico.
04-21-2010 11:55 AM
The network that is not-natted is not know outside the local network(routes from the 6500 to Firewall.
But I have testers that don't want to change there test procedures. If do a static nat:
ip nat inside source static 2.2.2.1 443 3.3.3.1 443.
The 3.3.3.1 works fine from outside the network and locally.
But when I try to access 2.2.2.1 from local servers response traffic is from 2.2.2.1(Sun snoop) gets natted to 3.3.3.1.
Will a static nat bound to route-policy work for this? Can you give me an example with this scenario?
04-22-2010 05:25 PM
config)# ip nat inside source static 3.3.3.1 2.2.2.1 route-map NAT
config)# route-map NAT permit 10
config-route-map)# match ip address NAT-ACL
config)#ip access-list extended NAT-ACL
config-ext-nacl)#10 deny ip host 1.1.1.1 any
config-ext-nacl)#15 permit ip host 1.1.1.2 any
int vlan 200
ip nat inside
ip add 2.2.2.254 255.255.255.0
int vlan 100
ip nat outside
ip add 2.2.2.254 255.255.255.0
The nat seem to work both the 3.3.3.1 and 2.2.2.1, but the route map does not seem to work. At least no hits on route-map or the NAT-ACL, but there are nat translations.
Seem to be a bug. If you remove the route-map before the ip nat static it crashes the 6500.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: