Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Policy based NAT to share 1 public between to two internal servers

Hello all,

I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.

I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?

This?

!

object-group service A_Bunch_O_Ports tcp

description Telemesis comms to-From Internet

port-object eq https

port-object eq www

port-object eq 8060

port-object eq 8070

!

access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports

access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

!#####################

Or this?

!

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060

access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070

access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25

!

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Policy based NAT to share 1 public between to two internal serve

Do you need both inbound and outbound connection for the server, or only outbound connection?

If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:

nat (inside) 3 172.20.40.100 255.255.255.255

nat (inside) 3 172.20.40.200 255.255.255.255

global (outside) 3 1.2.3.4 netmask 255.255.255.255

However if you need both inbound and outbound connection for the server, then you should configure the following:

static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

Cisco Employee

Policy based NAT to share 1 public between to two internal serve

If you need both inbound and outbound, then the static command is what yo need.

The global/nat is for outbound only translation and it's dynamic translation.

Static NAT is bi-directional and it works both inbound and outbound translation.

3 REPLIES
Cisco Employee

Policy based NAT to share 1 public between to two internal serve

Do you need both inbound and outbound connection for the server, or only outbound connection?

If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:

nat (inside) 3 172.20.40.100 255.255.255.255

nat (inside) 3 172.20.40.200 255.255.255.255

global (outside) 3 1.2.3.4 netmask 255.255.255.255

However if you need both inbound and outbound connection for the server, then you should configure the following:

static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

New Member

Policy based NAT to share 1 public between to two internal serve

I need two-way communications (in and out). I am really struggling with the difference between;

static (inside,outside)

and

nat (inside) / global (outside)

Cisco Employee

Policy based NAT to share 1 public between to two internal serve

If you need both inbound and outbound, then the static command is what yo need.

The global/nat is for outbound only translation and it's dynamic translation.

Static NAT is bi-directional and it works both inbound and outbound translation.

350
Views
0
Helpful
3
Replies
CreatePlease to create content