multiple hosts in policy nat

Answered Question
Aug 10th, 2010

how can i do this:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL200 permit ip host 172.16.11.26 host GGSNnew
access-list AL200 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200 0 0

I have this problem too.
0 votes
Correct Answer by Andrew Ossipov about 6 years 3 months ago

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
RvanRouwendaal Tue, 08/10/2010 - 13:55

so what you are trying to say it is not possible at all? i dont understand could you give me some directions?

Correct Answer
Andrew Ossipov Tue, 08/10/2010 - 13:59

You can policy PAT traffic from just two hosts to the given IP address (this will only work outbound), but you cannot do it with the configuration above. The policy PAT would look somewhat like this:

nat (production) 11 access-list AL200

global (outside) 11 172.16.11.200

Andrew

RvanRouwendaal Tue, 08/10/2010 - 14:05

thank you so much this worked as a charm.

What kind off problems could this give?

Andrew Ossipov Tue, 08/10/2010 - 14:10

Glad it helped! It is a fairly standard NAT configuration, so it should work without problems. The only caveat is that you cannot initiate reverse connections from outside between the hosts and subnets identified in the ACL.

Andrew

RvanRouwendaal Tue, 08/10/2010 - 14:17

I dont really understand your last post. Does this mean no traffic could come in on 172.16.11.200?

Andrew Ossipov Tue, 08/10/2010 - 14:19

That is correct, you cannot initiate inbound connections to 172.16.11.200. This is the main property of dynamic PAT. In order to initiate inbound connections, you must have one-to-one mapping with either one IP per inside host or one port per inside service (static PAT).

Andrew

RvanRouwendaal Tue, 08/10/2010 - 14:23

hmmmm thats gonna be a problem cause these rules initiate from both sides:

access-list AL200 permit ip host 172.16.11.26 host TMGGSNnew
access-list AL200 permit ip host 172.16.11.26 TMmeterpool 255.255.240.0

i there a work-around for this?

Andrew Ossipov Tue, 08/10/2010 - 14:26

The workaround is to dedicate one mapped (public) IP to each inside (private) host. I.e.:

access-list AL200 permit ip host 172.16.11.27 Units 255.255.192.0
access-list AL200 permit ip host 172.16.11.27 Routers 255.255.255.248
access-list AL200 permit ip host 172.16.11.27 host IMSA
access-list AL200 permit ip host 172.16.11.27 host EIserver

access-list AL201 permit ip host 172.16.11.26 host GGSNnew
access-list AL201 permit ip host 172.16.11.26 Meterpool 255.255.240.0

static (production,outside) 172.16.11.200 access-list AL200

static (production,outside) 172.16.11.201 access-list AL201

RvanRouwendaal Tue, 08/10/2010 - 14:29

172.16.11.201 doesnt have access to the VPNs... so thats a no go...

The problem is that on the old server we had 2 environments which went to 3 VPNS... all using the 200 NAT. Now we made two new server (1 goes to 2 vpns and 1 goes to the third). They still need to do so with the 200 NAT

Actions

This Discussion