Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall NAT

I'm trying to do some natting. My intention is to NAT a public address space (10.1.1.0 /25) subnet to a single address on my private network (192.168.1.10 /32).

the intent is to get the servers in the private subnet (VLAN'd) to respond to ANY server in the public subnet on the natted 192 address.

I'm thinking I can do this with the following config:

static (outside,inside) <10.1.1.0> <192.168.1.10> netmask 255.255.255.255

but, i'm not sure that it will NAT ANY address in the 10.1.1.0 /25 subnet..

Any insight would be helpful...

thanks.

Bruce

7 REPLIES

Re: Firewall NAT

If I understand your requirements correctly, it is not possible. How would the NAT address know what IP to go to on the inside?

Community Member

Re: Firewall NAT

the source subnet (VLAN) is direct connect to the firewall as is the destination subnet (VLAN). I'm thinking, for example:

server A 10.1.1.7; executes a packet destined for the 192.168.1.0 network, it gets NAT'd to 192.168.1.10,

a route on the firewall to the 192 subnet (also connected VLAN) routes the traffic to the interface for the 192 address space..

No?

Re: Firewall NAT

So are you looking to not NAT? If 10.1.1.7 sends a message to 192.168.1.10, it does not need to NAT. There is no tranlsation between the subnets. If you wanted to NAT, let's use the subnet of 172.16.1.0/24, the 10.1.1.7 server would message 172.16.1.10, which in turn would be NAT'd to 192.168.1.10. Hope that make sense.

Community Member

Re: Firewall NAT

hmmm...

the intent is to get the 10.1.1.7 (and any other server in that /25 subnet) to the 192.168.1.0 /24 to give the appearance that all traffic from the 10.1.17 is being sourced as 192.168.1.10...

does that make better sense...maybe i didnt explain it correctly

Community Member

Re: Firewall NAT

sorry, after rereading this, i needed to clarify.

"to give the appearce that all traffic from the 10.1.1.0 /25 is being sourced as host address 192.168.1.10"

I'm not even sure that it can be done...

i want the hosts in the 192.168.1.0 /24 to ALWAYS talk back to 192.168.212.10 which NATs to ANY 10.1.1.0 /25...

does that make sense??

Cisco Employee

Re: Firewall NAT

I think this is your traffic flow

Outside (10.1.1.0/25) -> Inside (192.168.212.10)

But Inside sees Outside network as 192.168.1.0. Am I correct?

If yes, then you can do policy NAT

access-list NET10-1-1-0 extended permit ip 10.1.1.0 255.255.255.128 host 192.168.212.10

static (outside,inside) 192.168.1.0 access-list NET10-1-1-0

But the 192.168.1.0 will not be a /24, it will match the source on the ACL to be a /25.

HTH,

jerry

Community Member

Re: Firewall NAT

we got it...

we set the following

global 1 interface

nat 1 access-list

BAM worked like a champ...

thanks for all the responses

262
Views
6
Helpful
7
Replies
CreatePlease to create content