Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Destination NAT based on source IP?

Is it possible to NAT to 1 of 2 different inside destination IP's based solely on the external source IP address?

There is something similar described but it doesn't work:

access-list WEB permit tcp host 10.1.2.1 209.165.201.11 255.255.255.255 eq 80

access-list TELNET permit tcp host 10.1.3.1 209.165.201.11 255.255.255.255 eq 23

nat (outside) 1 access-list WEB outside

global (inside) 1 209.165.202.129

nat (outside) 2 access-list TELNET outside

global (inside) 2 209.165.202.130

Thanks,

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Destination NAT based on source IP?

Hi Dan,

One final follow-up to this conversation (just for completeness). If you happened to use policy-nat, please note that it does not support using ports in the ACL. The ACL must only contain IPs/networks and no ports.

Sorry for not mentioning that sooner.

Sincerely,

David.

9 REPLIES
Cisco Employee

Re: Destination NAT based on source IP?

Your question isn't totally clear.

The config above is accurate (assuming you know what it is doing). You are missing the translation for the internal host you are attempting to access. (ie: static (inside,outside) 209.165.201.11 ...) However, I can't add much more without more specifics, and things like the version you are running, etc.. as there are a lot of other variables involved.

Sincerely,

David.

New Member

Re: Destination NAT based on source IP?

Hi David:

Here's a better description of my scenario:

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.1.1 port 80.

If 10.1.1.2 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.2.2 port 80.

It makes sense that this requires a corresponding static entry as well.

Thanks,

Dan

Cisco Employee

Re: Destination NAT based on source IP?

Hi Dan,

Then ok that will work.

Sincerely,

David.

New Member

Re: Destination NAT based on source IP?

Hi David:

OK, great. But I'm still confused on the syntax Here's what I have so far:

access-list host1 permit tcp host 10.1.1.1 host 172.16.0.1 eq 80

access-list host2 permit tcp host 10.1.1.2 host 172.16.0.1 eq 80

nat (outside) 1 access-list host1 outside

global (inside) 1 192.168.1.1

nat (outside) 2 access-list host2 outside

global (inside) 2 192.168.2.2

But, I don't think the static command will let you map the same IP twice:

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 80 192.168.2.2 80

Your help is greatly appreciated,

Dan

Cisco Employee

Re: Destination NAT based on source IP?

Hi Dan,

Think of NATing in 2 parts:

a) Internal device's source IP being NATed when it accesses devices on the outside

b) External device's source IP being NATed when it access devices on the inside

For the config you have been focusing on, that covers (b). Whereby you are policy-nating the source IP of the hosts on the outside (10.1.1.1 and 10.1.1.2) when they attempt to access 172.16.0.1 on the inside. Each outside host will be translated to a different inside IP.

For the case of (a) you just need a single static, as both outside hosts are accessing the same server. (right?) If that server's IP address is not being translated, then the command would just be:

static (inside,outside) 172.16.0.1 172.16.0.1 netmask 255.255.255.255

That statement just tells the PIX to translate the source (172.16.0.1) to itself when it goes from inside -> outside. It also tells external devices that if they connect to destination address 172.16.0.1, then the address would be translated to itself on the inside.

Now, (hopefully this won't complicate things more) if you _additionally_ wanted the two external hosts to go to the same global address, but that global address would be translated to two different internal addresses, then that would also be possible, but a bit more complicated ;-)

Sincerely,

David.

PS> Please don't forget to check the solution off if it solves your problem so we can cross it off the list.

New Member

Re: Destination NAT based on source IP?

Hi David:

Sorry, I think I still wasn't clear on my scenario. I want to redirect to one of two different inside servers but based on which source IP.

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.1.1.

If 10.1.1.2 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.2.2.

Sorry for the midunderstanding.

Thanks,

Dan

Cisco Employee

Re: Destination NAT based on source IP?

here we need static port redirection which is only unidirectional , however you CANNOT nat 172.16.0.1 on port 80 to two different servers

though this can be done...

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 8080 192.168.2.2 8080

Cisco Employee

Re: Destination NAT based on source IP?

Hi Dan,

Unfortunately, we don't have a way to achieve that currently.

Sorry,

David.

Cisco Employee

Re: Destination NAT based on source IP?

Hi Dan,

One final follow-up to this conversation (just for completeness). If you happened to use policy-nat, please note that it does not support using ports in the ACL. The ACL must only contain IPs/networks and no ports.

Sorry for not mentioning that sooner.

Sincerely,

David.

170
Views
0
Helpful
9
Replies
CreatePlease login to create content