Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
3
Replies

static & dynamic NAT at the same time?

Go to solution
Bojan Zivancevic
Level 1
Level 1

‎07-21-2003 10:09 PM - edited ‎03-09-2019 04:08 AM

Is it possible? Let's say you have the pool of 20 public addresses and you have 30 LAN computers. You want to assign the same public address to some of the servers. And the rest can get addresses from the pool in the random way.

It would be nice so one can easily make the proper firewall rules.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
l.mourits
Level 5
Level 5

‎07-21-2003 10:39 PM

Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.

Here's an example:

Public IP-range on outside: xxx.xxx.xxx.0/27

(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)

Private IP-range on inside: yyy.yyy.yyy.0/24

In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)

All other IP's will be dynamicly translated.

Here's a sample config how you could achieve this:

ip address outside xxx.xxx.xxx.1 255.255.255.224

ip address inside yyy.yyy.yyy.1 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0

global (outside) 1 interface

static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2

static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3

access-list nonat deny ip host yyy.yyy.yyy.2 any

access-list nonat deny ip host yyy.yyy.yyy.3 any

access-list nonat permit ip any any

Kind Regards,

Leo

View solution in original post

0 Helpful
3 Replies 3

Go to solution
l.mourits
Level 5
Level 5

‎07-21-2003 10:39 PM

Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.

Here's an example:

Public IP-range on outside: xxx.xxx.xxx.0/27

(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)

Private IP-range on inside: yyy.yyy.yyy.0/24

In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)

All other IP's will be dynamicly translated.

Here's a sample config how you could achieve this:

ip address outside xxx.xxx.xxx.1 255.255.255.224

ip address inside yyy.yyy.yyy.1 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0

global (outside) 1 interface

static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2

static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3

access-list nonat deny ip host yyy.yyy.yyy.2 any

access-list nonat deny ip host yyy.yyy.yyy.3 any

access-list nonat permit ip any any

Kind Regards,

Leo

0 Helpful

Go to solution
Bojan Zivancevic
Level 1
Level 1
In response to l.mourits

‎07-21-2003 11:12 PM

Hey thanks for such a quick answer! Neither you found it hard to write all these lines... :)

Thx

0 Helpful

Go to solution
esanchez
Level 1
Level 1

‎07-22-2003 08:27 AM

Hello, Yes it is posible, but you need a static command for the servers (one per one)

static (inside,outside) public_ip internal_ip

And you need a global and NAT command for the rest of the ip and this do a PAT rule.

In teory with only 1 ip yo can serve a 65,000 internal ip, but in practis is 4000 internal ip´s. (PAT of course)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents