Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NATTING Some IPs and not others

I have  a network with firewalls and support networks, but I would like to test external users with my support area, but do not want NAT everything.

Outside network --FW--(NAT Outside)Support Network(network 1.1.1.0/24 (NAT Inside) ->FW-->Router NAT

                                                      Support Servers 1.1.1.1.0/24                                           2.2.2.2

                                                       Support know network (3.3.3.0/24) 3.3.3.2---NATTed to -->2.2.2.2

All outside network would target 3.3.3.2.  Support Network(DMZ) would be able to test both 3.3.3.2 and 2.2.2.2 network at the same time.

I have multple routers with this configuration.  It works with one out of 4 interfaces.

Any help.

9 REPLIES

Re: NATTING Some IPs and not others

Hi,

Sounds like you need some kind of Policy NAT to be able to NAT traffic depending on where the traffic is coming and/or where it i s going? Is this correct?

Is this an IPsec L2L tunnel?

If so, between which devices?

Federico.

Community Member

Re: NATTING Some IPs and not others

I was thinking along those lines,  Any example of Policy based natting?

Local Support not natted (exclept to test with some host) and remote user always using the NAT.

This is just a static tcp nat.

ip nat inside soure stat tcp INSIDEADDRESS 443 OUTSIDEADDRESS 443

Re: NATTING Some IPs and not others

Take a look at Policy NAT and let us know if you need help:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Federico.

Community Member

Re: NATTING Some IPs and not others

It is a 6500 with Sup720 do the natting with vlans, the firewalls are not ASA.

Any example of policy based routing with Cisco Native IOS?

Re: NATTING Some IPs and not others

Ok, so there's no FWSM on the 6500, is just IOS.

In that case, you can check IOS NAT information here:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051153

Most likely what you're looking for is to be able to NAT not only based on source but based on destination as well?

Regular NAT on IOS use a configuration like this:

ip nat inside source route-map NAT interface Fast0/0 overload

route-map NAT

match ip address 199

set ip next-hop x.x.x.x

ip access-list extended 199 permit ip 10.0.0.0 0.0.0.255 any

The above configuration, translates the 10.0.0.0/24 to the outside interface IP (PAT) when going to the Internet.

The same concept can apply to inbound traffic as well.

You can also put condition on NAT binding a route-map to a STATIC NAT statement for example.

Let us know how does it goes...

Federico.

Community Member

Re: NATTING Some IPs and not others

I can either static nat or use non-natted address, but I would like some local people(test) to get to non-natted address.  At least one local box be able to get to the natted for test, but when I static nat the nat works locally and remotely, but when I go to the non-natted address(of the natted address) the return traffic to the Sun box doing a dump, reports the the ip it being natted back to the natted address.

Out

Re: NATTING Some IPs and not others

If on the 6500 you create a static NAT, i.e.
ip nat inside source static 1.1.1.1 2.2.2.2
This means that from the outside, you can access 2.2.2.2 and from the inside can access 1.1.1.1

If the IP addresses behind the 6500 are public or routable addresses, you can access them without NAT.

The problem is that if you create a STATIC NAT like the one above, you are defining that the device will be seen with the public
IP from the outside and with the private IP from the inside.


If you want the STATIC NAT and modify this behavior, you bind a route-map to the STATIC NAT.
In this way you define when does the STATIC NAT takes place and when not.
Is this what you're looking for?

Federico.

Community Member

Re: NATTING Some IPs and not others

The network that is not-natted is not know outside the local network(routes from the 6500 to Firewall.

But I have testers that don't want to change there test procedures.  If do a static nat:

ip nat inside source static 2.2.2.1 443 3.3.3.1 443.

The 3.3.3.1 works fine from outside the network and locally.

But when I try to access 2.2.2.1 from local servers response traffic is from 2.2.2.1(Sun snoop) gets natted to 3.3.3.1.

Will a static nat bound to route-policy work for this?  Can you give me an example with this scenario?

Community Member

Re: NATTING Some IPs and not others

config)# ip nat inside source static 3.3.3.1 2.2.2.1 route-map NAT


config)# route-map NAT permit 10
config-route-map)# match ip address NAT-ACL

config)#ip access-list extended NAT-ACL
config-ext-nacl)#10 deny ip host 1.1.1.1 any

config-ext-nacl)#15 permit ip host 1.1.1.2 any

int vlan 200

ip nat inside

ip add 2.2.2.254 255.255.255.0

int vlan 100

ip nat outside

ip add 2.2.2.254 255.255.255.0

The nat seem to work both the 3.3.3.1 and 2.2.2.1, but the route map does not seem to work.  At least no hits on route-map or the NAT-ACL, but there are nat translations.

Seem to be a bug.  If you remove the route-map before the ip nat static it crashes the 6500.

329
Views
0
Helpful
9
Replies
CreatePlease to create content