Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

nat based on outside source

Hi,

I have the following situation:

server on inside with 192.168.1.1 address

outside nat address x.x.x.1

this is currently working correctly with static nat


we require to have a policy nat where we can nat outside address x.x.x.1 to a second server 192.168.1.2 based on if the source is a specifc host/network

Connections are always initiated from outside (public facing web server for example).

I have been unable to identify a means of achieving this with policy nat, we can successully nat the inside hosts to different outside addresses based on the policy access lists but we are unable to nat an outside address to multiple inside addresses.

any ideas?

Everyone's tags (2)
3 REPLIES
Cisco Employee

Re: nat based on outside source

Hello,

So you need to MAP one public IP to multiple internal servers depending upon the source (external). You need a policy as follows :

if two different hosts (x.x.x.x and y.y.y.y) on outside world would like to access TWO different servers (192.168.1.1 and 192.168.1.2) on inside using same public IP (160.1.1.2) respectively.


access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip host y.y.y.y 192.168.1.2   --> y.y.y.y will be able to access server at 192.168.1.2 using 160.1.1.2

static (inside,outside) 160.1.1.2 access-list policy

HTH

Vijaya

New Member

Re: nat based on outside source

Hi,

thanks fot he answer, you've understood exactly what I need with just a slight variation:

access-list policy extended permit ip host x.x.x.x 192.168.1.1   --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip ANY 192.168.1.2   --> ANY OTHER ADDRESS will be able to access server at 192.168.1.2 using 160.1.1.2

I'll test the above later on but from what I gather I won't be able to use ANY as a source address - ie I want only specific addresses to go to 192.168.1.1 and all others to go to 192.168.1.2

do you think this will work?

thanks

Cisco Employee

Re: nat based on outside source

Hello,

You can try :

access-list policy extended permit ip host x.x.x.x host 192.168.1.1

access-list policy extended permit ip host y.y.y.y host 192.168.1.1

static (in,out) access-list policy

static (in,out) 192.168.1.2 netmask 255.255.255.255

Now, since the POLICY STATIC has higher preference than normal STATIC, so your specific uers (x.x.x.x and y.y.y.y) will go to internal server

at 192.168.1.1 using

WHILE on the other hand, rest all users will go to  internal server at 192.168.1.2 using  same

Try this and let me know how it goes..

Vijaya

518
Views
0
Helpful
3
Replies
CreatePlease to create content