I have a network with firewalls and support networks, but I would like to test external users with my support area, but do not want NAT everything.
Outside network --FW--(NAT Outside)Support Network(network 188.8.131.52/24 (NAT Inside) ->FW-->Router NAT
Support Servers 184.108.40.206.0/24 220.127.116.11
Support know network (18.104.22.168/24) 22.214.171.124---NATTed to -->126.96.36.199
All outside network would target 188.8.131.52. Support Network(DMZ) would be able to test both 184.108.40.206 and 220.127.116.11 network at the same time.
I have multple routers with this configuration. It works with one out of 4 interfaces.
Sounds like you need some kind of Policy NAT to be able to NAT traffic depending on where the traffic is coming and/or where it i s going? Is this correct?
Is this an IPsec L2L tunnel?
If so, between which devices?
I was thinking along those lines, Any example of Policy based natting?
Local Support not natted (exclept to test with some host) and remote user always using the NAT.
This is just a static tcp nat.
ip nat inside soure stat tcp INSIDEADDRESS 443 OUTSIDEADDRESS 443
Take a look at Policy NAT and let us know if you need help:
It is a 6500 with Sup720 do the natting with vlans, the firewalls are not ASA.
Any example of policy based routing with Cisco Native IOS?
Ok, so there's no FWSM on the 6500, is just IOS.
In that case, you can check IOS NAT information here:
Most likely what you're looking for is to be able to NAT not only based on source but based on destination as well?
Regular NAT on IOS use a configuration like this:
ip nat inside source route-map NAT interface Fast0/0 overload
match ip address 199
set ip next-hop x.x.x.x
ip access-list extended 199 permit ip 10.0.0.0 0.0.0.255 any
The above configuration, translates the 10.0.0.0/24 to the outside interface IP (PAT) when going to the Internet.
The same concept can apply to inbound traffic as well.
You can also put condition on NAT binding a route-map to a STATIC NAT statement for example.
Let us know how does it goes...
I can either static nat or use non-natted address, but I would like some local people(test) to get to non-natted address. At least one local box be able to get to the natted for test, but when I static nat the nat works locally and remotely, but when I go to the non-natted address(of the natted address) the return traffic to the Sun box doing a dump, reports the the ip it being natted back to the natted address.
If on the 6500 you create a static NAT, i.e.
ip nat inside source static 18.104.22.168 22.214.171.124
This means that from the outside, you can access 126.96.36.199 and from the inside can access 188.8.131.52
If the IP addresses behind the 6500 are public or routable addresses, you can access them without NAT.
The problem is that if you create a STATIC NAT like the one above, you are defining that the device will be seen with the public
IP from the outside and with the private IP from the inside.
If you want the STATIC NAT and modify this behavior, you bind a route-map to the STATIC NAT.
In this way you define when does the STATIC NAT takes place and when not.
Is this what you're looking for?
The network that is not-natted is not know outside the local network(routes from the 6500 to Firewall.
But I have testers that don't want to change there test procedures. If do a static nat:
ip nat inside source static 184.108.40.206 443 220.127.116.11 443.
The 18.104.22.168 works fine from outside the network and locally.
But when I try to access 22.214.171.124 from local servers response traffic is from 126.96.36.199(Sun snoop) gets natted to 188.8.131.52.
Will a static nat bound to route-policy work for this? Can you give me an example with this scenario?
config)# ip nat inside source static 184.108.40.206 220.127.116.11 route-map NAT
config)# route-map NAT permit 10
config-route-map)# match ip address NAT-ACL
config)#ip access-list extended NAT-ACL
config-ext-nacl)#10 deny ip host 18.104.22.168 any
config-ext-nacl)#15 permit ip host 22.214.171.124 any
int vlan 200
ip nat inside
ip add 126.96.36.199 255.255.255.0
int vlan 100
ip nat outside
ip add 188.8.131.52 255.255.255.0
The nat seem to work both the 184.108.40.206 and 220.127.116.11, but the route map does not seem to work. At least no hits on route-map or the NAT-ACL, but there are nat translations.
Seem to be a bug. If you remove the route-map before the ip nat static it crashes the 6500.