hi halijenn / experts,
I want to configure NAT for the Network 192.168.16.0/24 to destination 192.168.41.2/32 which must be translated to 188.8.131.52.Also few of the servers
addresses on 192.168.16.0/24 must be translated to different NAT addresses to all other destination (except 192.168.41.2).For example,
192.168.16.2 must be translated to 184.108.40.206 while going to any destination (except 192.168.41.2)
Please let me know if the below is correct
access-list ACLPOLICY extended permit ip 192.168.16.0 255.255.255.0 host 192.168.41.2
nat (INSIDE) 1 access-list ACLPOLICY
nat (INSIDE) 2 192.168.16.2 255.255.255.255
global (OUTSIDE) 1 220.127.116.11
global (OUTSIDE) 2 18.104.22.168
The issue is that according to NAT Order of operations NAT 0 with ACL comes first , followed by existing xlates and so on .Hence when the user will
initiate the connection from 192.168.16.2 to www.google.com , the translation entry will be created for the 192.168.16.2 with the global 22.214.171.124 ; however
if at the same time the user will try to access destination 192.168.41.2 , will the firewall take the existing translation or it will consider 126.96.36.199 for NATTING
In my case the packet doesnot consider the existing xlates and doesnot takes the correct NAT.Plz let me know if any other solution exists to accomplish
You should have 2 lines of xlate entries, one for each global address it's PATed to.
You can check more details from "show xlate detail" output.
Actually, just thinking further on NAT, if you are going to a different destination, that will not be considered as the same translation/existing translation. A translation line will only be from the same source towards the same destination with multiple connections (eg: http, https, ftp, etc) on 1 translation line.
Hence, from your example, if it's not going towards destination of 192.168.41.2 then it will check the next NAT statement inline, and should match your "nat (inside) 2 192.168.16.2"
NT is correct, configuration is OK for what you are trying to achive as long as it is exactly how it is configured in your firewall (ie: the order of the NAT statements on the actual firewall).
Your configuration looks good. When the traffic hits the firewall, the NAT with the ACL is evaluated before other NAT rules. So, in your case, if the traffic is going to 192.168.42.x, then the first NAT rule will be applied. Also, the other thing to notice is that, while the firewall looks into the XLATE table to see if there is any current XLATE, it is bound by the access-list rules. So, with the configuration you have, you should be able to acheive the goal.
Hope this helps.