Hi - I'm using the pdm for the FWSM. I'm trying to NAT a server from the production VLAN interface to the outside interface with a RIPE address so that we can send smtp to it from designated internet hosts. This server is in the 10.x.x.0 /23 network and this network is NATed using same address on the outside interface (currently set at the network level). Because of this I cannot set the outside NAT by editing the host NAT tab in the pdm. So I have added a translation rule NATing the server to its RIPE address on the outside. When I apply this I get an (expected) NAT overlap/redundancy warning which I ignore and the NAT appears in the list. I then set up a permit smtp from internet hosts on outside interface to the 10.x.x.x address of the server. This immediately changes the address to the NAT RIPE address (thus nullifying the rule as now both are on the outside...) and it takes out the translation entry! So I'm left with a redundant rule and no NAT. Is there a way around this? I don't think I can take out the network level NAT without breaking all the other servers in this VLAN? I hope this makes sense...
So let me get this right. You have a server that you need to specifically nat an external address to right. But at this time there is a network nat in place natting it to the same place. So your statements look something like this|
Thanks for the reply Patrick - yep something like that. It seems that we are trying to have two NATs on the one host - one from the network NAT (which it gets to first and 'likes') and the other from the host NAT (which it doesn't like). So, as you say, the only way around it seems to be to take off the network NAT and put statics on the hosts - somehow I don't think I'll get that through the change system as they are all live servers... We may have to put a box on the outside that will relay to the production servers.
Well, it'll keep me busy I suppose since they want it done by tomorrow :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :