Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2452
Views
0
Helpful
2
Replies

NAT, PNAT and policy NAT

Go to solution
elderr
Level 1
Level 1

‎09-25-2008 10:28 AM - edited ‎03-11-2019 06:49 AM

I have a connection to a 3 party app that has changed. The app is no longer able seperate users coming into the app using nat as seperate connections. I have 4 users that need to use the app at one time. I want to change the nat statement so the users won't pnat on one IP but pick the next available IP in the pool. Since there are only 4 users that will need to go to this site. I am trying not to have a static reserver for them. TAC gave the answer that the pix will pnat anyways if I make the following change. Is there a way without assigning the PC's a static IP?

global (outside) 100 60.100.10.128

crypto ipsec transform-set myset esp-3des esp-md5-hmac

tunnel-group 21.14.41.188 type ipsec-l2l

tunnel-group 21.14.41.188 ipsec-attributes

pre-shared-key *

crypto map newmap 60 match address outside_cryptomap_60

crypto map newmap 60 set peer 21.14.41.188

crypto map newmap 60 set transform-set myset

nat (inside) 100 access-list inside_pnat_outbound_V1

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.105

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.106

access-list inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 host 21.14.41.107

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.105

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.106

access-list outside_cryptomap_60 extended permit ip host 60.100.10.128 host 21.14.41.107

_______________________________________________________________________________________

Idea for change but cisco said it will still PNAT

nat (inside) 100 access-list inside_pnat_outbound_V1

global (outside) 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248

________________________________________________________________________________________

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
drolemc
Level 6
Level 6

‎10-01-2008 08:28 AM

No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
drolemc
Level 6
Level 6

‎10-01-2008 08:28 AM

No it works fine, because your ip range is 100 60.100.10.128-60.100.10.135 netmask 255.255.255.248. it contains 8 ip address . You said only 4 users, so first 4 ip allocates that 4 users remaining 4 ip is also available. It works fine.

0 Helpful

Go to solution
elderr
Level 1
Level 1
In response to drolemc

‎10-01-2008 10:29 AM

Thanks, I was able to replicate my config in a lab enviroment with older 501s. I was able to determine the it would work. When I brought this up with TAC they told me it would use PNAT and not go to the next IP. Guess you can't always trust TAC. Thanks for verifing it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card