Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Lower security to higher security interface PAT.

Hi,

Can we have PAT with nat and global statements for source natting a traffic from Lower security interface to Higher security? If nat & global can't achieve this, what are the Possibilities.

merci,

arun

  • Firewalling
Everyone's tags (4)
5 REPLIES
Red

Lower security to higher security interface PAT.

Well you can do outside nat for it, you would need to use the following commands:

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Lower security to higher security interface PAT.

Have you tried this to be working, coz in my case the i need to have the PAT for a particular port access needs to be PAT.

merci,

arun

Red

Lower security to higher security interface PAT.

Yes, it works fine and is a supported config, but can you elaborate on your requirement a little bit more?

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Lower security to higher security interface PAT.

oh ok great. Here is my case i need to NAT both the source and destination from one interface to the other.

For flow from MPLS --> Inside

Source on MPLS n/w: 192.168.1.100(source will be all RFC 1918 subnets)

Destination on MPLS nw: 10.1.1.100

Source on Inside n/w: 172.16.1.100(All 1918 subnet sources on MPLS will need to be translated to this IP)

Destination on Inside n/w: 172.31.2.100

The Destination NAT is achieve through Static command from the higher to Lower interface.

Is this info helpfull?

merci,

arun

New Member

Lower security to higher security interface PAT.

When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.

nat (outside) 1 network netmaks outside

global (inside) 1 ip_address   <--- used for PAT

824
Views
0
Helpful
5
Replies
This widget could not be displayed.