09-25-2008 10:28 AM - edited 03-11-2019 06:49 AM
I have a connection to a 3 party app that has changed. The app is no longer able seperate users coming into the app using nat as seperate connections. I have 4 users that need to use the app at one time. I want to change the nat statement so the users won't pnat on one IP but pick the next available IP in the pool. Since there are only 4 users that will need to go to this site. I am trying not to have a static reserver for them. TAC gave the answer that the pix will pnat anyways if I make the following change. Is there a way without assigning the PC's a static IP?
global (outside) 100 60.100.10.128
crypto ipsec transform-set myset esp-3des esp-md5-hmac
tunnel-group 21.14.41.188 type ipsec-l2l
tunnel-group 21.14.41.188 ipsec-attributes
pre-shared-key *
crypto map newmap 60 match address outside_cryptomap_60
crypto map newmap 60 set peer 21.14.41.188
crypto map newmap 60 set transform-set myset
nat (inside) 100 access-list inside_pnat_outbound_V1
access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.105
access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.106
access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.107
access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.105
access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.106
access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.107
_______________________________________________________________________________________
Idea for change but cisco said it will still PNAT
nat (inside) 100 access-list inside_pnat_outbound_V1
global (outside) 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248
________________________________________________________________________________________
Solved! Go to Solution.
10-01-2008 08:28 AM
No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.
10-01-2008 08:28 AM
No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.
10-01-2008 10:29 AM
Thanks, I was able to replicate my config in a lab enviroment with older 501s. I was able to determine the it would work. When I brought this up with TAC they told me it would use PNAT and not go to the next IP. Guess you can't always trust TAC. Thanks for verifing it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: