Let's say I have a router, who's serial interface is configured for inside NAT, and the Ethernet interface is set for outside NAT. So I'll refer to the Serial interface as the inside, and the Ethernet interface as the outside. Currently, I have a NAT access-list that PAT's incoming traffic to the inside interface against any matches on the NAT access-list. The config is as follows:
ip nat inside
ip nat outside
ip nat pool PAT_pool 188.8.131.52 184.108.40.206 prefix-length 24
ip nat inside source list 50 pool PAT_pool overload
Standard IP access list 50
As you can see, if any of the 4 ip addresses in the access-list initiate a connection into the inside interface they get PAT'd to 220.127.116.11. However, there is also a need for a host off the Outside to initiate a connection to one of those ip addresses defined in the NAT acl, and that host is 10.10.1.250. Is it possible to configure this so that an Outside host can connect to the same PAT address, 18.104.22.168, and have it translate to only the 10.10.1.250 address? Obviously I dont' want to break the NAT coming into the serial interface (Inside NAT). What is happening is that one of the servers on the outside (Ethernet) needs to initiate keepalives back to the 10.10.1.250 address, but only that address. They were hoping to aim it at the PAT address 22.214.171.124. How do I go about doing this? I don't want to break anything with the current NAT as it relates to inside to outside.
ok, so you are saying that I can leave the PAT access-list for traffic coming to the inside interface (including the source ip of 10.10.1.250) alone, but servers on the outside interface can send their keep alives to the PAT address 126.96.36.199 (10.10.1.250) as long as I assign the static NAT with the particular port number of the keepalive? And this won't conflict with each other?
it is static PAT that you are applying thus it is only interfering with this specific ports used in the "static" command. Whether this is possible or not in combination depends on the specific application and ports used. As I am not aware of your application, I can not give a definite statement for your case.
You can try the above config (adjusted to your requirements) and check, if everything works just fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :