Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
3
Replies

Policy based NAT to share 1 public between to two internal servers

Go to solution
geraghtyconor
Level 1
Level 1

‎08-03-2012 06:04 AM - edited ‎03-11-2019 04:37 PM

Hello all,

I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.

I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?

This?

!

object-group service A_Bunch_O_Ports tcp

description Telemesis comms to-From Internet

port-object eq https

port-object eq www

port-object eq 8060

port-object eq 8070

!

access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports

access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

!#####################

Or this?

!

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070

access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25

!

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-03-2012 08:08 AM

Do you need both inbound and outbound connection for the server, or only outbound connection?

If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:

nat (inside) 3 172.20.40.100 255.255.255.255

nat (inside) 3 172.20.40.200 255.255.255.255

global (outside) 3 1.2.3.4 netmask 255.255.255.255

However if you need both inbound and outbound connection for the server, then you should configure the following:

static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to geraghtyconor

‎08-03-2012 08:18 AM

If you need both inbound and outbound, then the static command is what yo need.

The global/nat is for outbound only translation and it's dynamic translation.

Static NAT is bi-directional and it works both inbound and outbound translation.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-03-2012 08:08 AM

Do you need both inbound and outbound connection for the server, or only outbound connection?

If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:

nat (inside) 3 172.20.40.100 255.255.255.255

nat (inside) 3 172.20.40.200 255.255.255.255

global (outside) 3 1.2.3.4 netmask 255.255.255.255

However if you need both inbound and outbound connection for the server, then you should configure the following:

static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

0 Helpful

Go to solution
geraghtyconor
Level 1
Level 1
In response to Jennifer Halim

‎08-03-2012 08:15 AM

I need two-way communications (in and out). I am really struggling with the difference between;

static (inside,outside)

and

nat (inside) / global (outside)

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to geraghtyconor

‎08-03-2012 08:18 AM

If you need both inbound and outbound, then the static command is what yo need.

The global/nat is for outbound only translation and it's dynamic translation.

Static NAT is bi-directional and it works both inbound and outbound translation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card