Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
0
Helpful
2
Replies

Policy based NAT using "floating static NAT"

rasoftware
Level 1
Level 1

‎03-13-2006 07:07 AM - edited ‎03-03-2019 12:02 PM

I have PIX behind a router with 2 WAN interfaces. Main interface is for traffic and it fail over if it goes down. I have PBR enabled for traffic from the PIX, it fails over great. In order to allow remote IPSEC sessions I have two static translations on the router to the outside PIX interface. Problem is due to their static nature when I fail over the the backup the outgoing VPN uses the 1st static and not the backup - a problem overcome with Policy NAT for all other traffic. What in essence I need is a "floating" static NAT - no idea if this is possible.

I include a brief config of policy nat in place

ip nat inside source static tcp 192.100.150.1 4500 interface fastethernet0 4500

ip nat inside source static tcp 192.100.150.1 500 interface fastethernet0 500

ip nat inside source static tcp 192.100.150.1 4500 interface Dialer0 4500

ip nat inside source static tcp 192.100.150.1 500 interface Dialer0 500

ip nat inside source route-map ispA interface FastEthernet0 overload

ip nat inside source route-map ispB interface Dialer0 overload

!

route-map ispB permit 10

match ip address 40

match interface Dialer0

!

route-map ispA permit 10

match ip address 40

match interface FastEthernet0

!

route-map IPSEC permit 30

match ip address 110

match interface Dialer0

set interface Dialer0

I know I can probably achieve this usig router-router VPN but the client is keen to keep the PIX and use the router to provide WAN redudancy. If I remove the static it works great if initating IPSEC from the PIX but inbound IPSEC connections will never complete.

Labels:
0 Helpful
2 Replies 2

rasoftware
Level 1
Level 1
In response to wong34539

‎03-21-2006 04:15 AM

I managed to get this resolved - thought id share it as a lot of people are implementing redundant WANs. You can add a route-map statement to the end of a static NAT statement.

For example

ip nat inside source static udp 192.100.151.1 500 195.173.189.21 500 route-map s

tatic_A extendable

ip nat inside source static udp 192.100.151.1 4500 195.173.189.21 4500 route-map

static_A extendable

and create appropriate ACL and route-maps.

Works a treat for PIX using IPSEC behind a NAT router when you have multiple peers defined on the PIX.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card