Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

static & dynamic NAT at the same time?

Is it possible? Let's say you have the pool of 20 public addresses and you have 30 LAN computers. You want to assign the same public address to some of the servers. And the rest can get addresses from the pool in the random way.

It would be nice so one can easily make the proper firewall rules.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: static & dynamic NAT at the same time?

Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.

Here's an example:

Public IP-range on outside: xxx.xxx.xxx.0/27

(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)

Private IP-range on inside: yyy.yyy.yyy.0/24

In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)

All other IP's will be dynamicly translated.

Here's a sample config how you could achieve this:

ip address outside xxx.xxx.xxx.1 255.255.255.224

ip address inside yyy.yyy.yyy.1 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0

global (outside) 1 interface

static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2

static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3

access-list nonat deny ip host yyy.yyy.yyy.2 any

access-list nonat deny ip host yyy.yyy.yyy.3 any

access-list nonat permit ip any any

Kind Regards,

Leo

3 REPLIES
Silver

Re: static & dynamic NAT at the same time?

Yes, this is possible, you can use nat and global commands for dynamic translation and use static commands for static translation at the same time.

Here's an example:

Public IP-range on outside: xxx.xxx.xxx.0/27

(IP-addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)

Private IP-range on inside: yyy.yyy.yyy.0/24

In the example I will static translate server1 from xxx.xxx.xxx.2 to yyy.yyy.yyy.2 (same for server2, but using address .3)

All other IP's will be dynamicly translated.

Here's a sample config how you could achieve this:

ip address outside xxx.xxx.xxx.1 255.255.255.224

ip address inside yyy.yyy.yyy.1 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 yyy.yyy.yyy.0 255.255.255.0

global (outside) 1 interface

static (inside, outside) xxx.xxx.xxx.2 yyy.yyy.yyy.2

static (inside, outside) xxx.xxx.xxx.3 yyy.yyy.yyy.3

access-list nonat deny ip host yyy.yyy.yyy.2 any

access-list nonat deny ip host yyy.yyy.yyy.3 any

access-list nonat permit ip any any

Kind Regards,

Leo

Community Member

Re: static & dynamic NAT at the same time?

Hey thanks for such a quick answer! Neither you found it hard to write all these lines... :)

Thx

Community Member

Re: static & dynamic NAT at the same time?

Hello, Yes it is posible, but you need a static command for the servers (one per one)

static (inside,outside) public_ip internal_ip

And you need a global and NAT command for the rest of the ip and this do a PAT rule.

In teory with only 1 ip yo can serve a 65,000 internal ip, but in practis is 4000 internal ip´s. (PAT of course)

137
Views
0
Helpful
3
Replies
CreatePlease to create content