07-21-2003 10:09 PM - edited 03-09-2019 04:08 AM
Is it possible? Let's say you have the pool of 20 public addresses and you have 30 LAN computers. You want to assign the same public address to some of the servers. And the rest can get addresses from the pool in the random way.
It would be nice so one can easily make the proper firewall rules.
Solved! Go to Solution.
07-21-2003 10:39 PM
Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.
Here's an example:
Public IP-range on outside: xxx.xxx.xxx.0/27
(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)
Private IP-range on inside: yyy.yyy.yyy.0/24
In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)
All other IP's will be dynamicly translated.
Here's a sample config how you could achieve this:
ip address outside xxx.xxx.xxx.1 255.255.255.224
ip address inside yyy.yyy.yyy.1 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0
global (outside) 1 interface
static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2
static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3
access-list nonat deny ip host yyy.yyy.yyy.2 any
access-list nonat deny ip host yyy.yyy.yyy.3 any
access-list nonat permit ip any any
Kind Regards,
Leo
07-21-2003 10:39 PM
Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.
Here's an example:
Public IP-range on outside: xxx.xxx.xxx.0/27
(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)
Private IP-range on inside: yyy.yyy.yyy.0/24
In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)
All other IP's will be dynamicly translated.
Here's a sample config how you could achieve this:
ip address outside xxx.xxx.xxx.1 255.255.255.224
ip address inside yyy.yyy.yyy.1 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0
global (outside) 1 interface
static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2
static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3
access-list nonat deny ip host yyy.yyy.yyy.2 any
access-list nonat deny ip host yyy.yyy.yyy.3 any
access-list nonat permit ip any any
Kind Regards,
Leo
07-21-2003 11:12 PM
Hey thanks for such a quick answer! Neither you found it hard to write all these lines... :)
Thx
07-22-2003 08:27 AM
Hello, Yes it is posible, but you need a static command for the servers (one per one)
static (inside,outside) public_ip internal_ip
And you need a global and NAT command for the rest of the ip and this do a PAT rule.
In teory with only 1 ip yo can serve a 65,000 internal ip, but in practis is 4000 internal ip´s. (PAT of course)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: