Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT, PNAT and policy NAT

I have a connection to a 3 party app that has changed. The app is no longer able seperate users coming into the app using nat as seperate connections. I have 4 users that need to use the app at one time. I want to change the nat statement so the users won't pnat on one IP but pick the next available IP in the pool. Since there are only 4 users that will need to go to this site. I am trying not to have a static reserver for them. TAC gave the answer that the pix will pnat anyways if I make the following change. Is there a way without assigning the PC's a static IP?

global (outside) 100 60.100.10.128

crypto ipsec transform-set myset esp-3des esp-md5-hmac

tunnel-group 21.14.41.188 type ipsec-l2l

tunnel-group 21.14.41.188 ipsec-attributes

pre-shared-key *

crypto map newmap 60 match address outside_cryptomap_60

crypto map newmap 60 set peer 21.14.41.188

crypto map newmap 60 set transform-set myset

nat (inside) 100 access-list inside_pnat_outbound_V1

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.105

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.106

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.107

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.105

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.106

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.107

_______________________________________________________________________________________

Idea for change but cisco said it will still PNAT

nat (inside) 100 access-list inside_pnat_outbound_V1

global (outside) 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248

________________________________________________________________________________________

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: NAT, PNAT and policy NAT

No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.

2 REPLIES
Silver

Re: NAT, PNAT and policy NAT

No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.

New Member

Re: NAT, PNAT and policy NAT

Thanks, I was able to replicate my config in a lab enviroment with older 501s. I was able to determine the it would work. When I brought this up with TAC they told me it would use PNAT and not go to the next IP. Guess you can't always trust TAC. Thanks for verifing it.

704
Views
0
Helpful
2
Replies