I need your help in getting a resolution to the Natting problem mentioned below.
I have a 10.x.x.x network in place(site A). Another partner who also houses a 10.x.x.x subnet(site B) needs to access a particular server within Site A.
1. Site B has a group of 6 servers which need to communicate with the server in Site A.
2. The 6 servers at site B would be statically natted and the requests from Site B -> Site A will be unidirectional in nature. The public ip at Site A would also be Natted to permit these 6 ip's.
3. The server housed in Site A caters to requests both from Site B as well as from other sites via the same public ip.
4. A simple straightforward static nat causes every request coming to the public ip to get natted.
static (inside,outside) public_ip Server_ip netmask 255.255.255.255
5. To solve this a policy / conditional NAT has been configured as follows...
NOTE: PUBLIC_IP = public ip pointing to the Site A server; SITE_B_CLUSTER=6 servers at Site B
access-list outside-incoming extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS
access-list conditional-nat extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS
static (inside,outside) PUBLIC_IP access-list conditional-nat
6. Now when i am configuring this i am encountering the following errors...
- Protocol mismatch between the static and access-list - Solved this by making my conditional-nat acl into ip based.
- access-list used in static has different local addresses
I am not able to solve the 2nd error. Could someone please help?
I would also like to know what are my alternatives if i have to maintain the conditonal-nat access-list at a tcp based ACL?
I would also like some material which i could read on policy Nat & Nat Basics.
Uzair Syed Naveed