Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy based NAT using "floating static NAT"

I have PIX behind a router with 2 WAN interfaces. Main interface is for traffic and it fail over if it goes down. I have PBR enabled for traffic from the PIX, it fails over great. In order to allow remote IPSEC sessions I have two static translations on the router to the outside PIX interface. Problem is due to their static nature when I fail over the the backup the outgoing VPN uses the 1st static and not the backup - a problem overcome with Policy NAT for all other traffic. What in essence I need is a "floating" static NAT - no idea if this is possible.

I include a brief config of policy nat in place

ip nat inside source static tcp 192.100.150.1 4500 interface fastethernet0 4500

ip nat inside source static tcp 192.100.150.1 500 interface fastethernet0 500

ip nat inside source static tcp 192.100.150.1 4500 interface Dialer0 4500

ip nat inside source static tcp 192.100.150.1 500 interface Dialer0 500

ip nat inside source route-map ispA interface FastEthernet0 overload

ip nat inside source route-map ispB interface Dialer0 overload

!

route-map ispB permit 10

match ip address 40

match interface Dialer0

!

route-map ispA permit 10

match ip address 40

match interface FastEthernet0

!

route-map IPSEC permit 30

match ip address 110

match interface Dialer0

set interface Dialer0

I know I can probably achieve this usig router-router VPN but the client is keen to keep the PIX and use the router to provide WAN redudancy. If I remove the static it works great if initating IPSEC from the PIX but inbound IPSEC connections will never complete.

2 REPLIES
Silver

Re: Policy based NAT using "floating static NAT"

New Member

Re: Policy based NAT using "floating static NAT"

I managed to get this resolved - thought id share it as a lot of people are implementing redundant WANs. You can add a route-map statement to the end of a static NAT statement.

For example

ip nat inside source static udp 192.100.151.1 500 195.173.189.21 500 route-map s

tatic_A extendable

ip nat inside source static udp 192.100.151.1 4500 195.173.189.21 4500 route-map

static_A extendable

and create appropriate ACL and route-maps.

Works a treat for PIX using IPSEC behind a NAT router when you have multiple peers defined on the PIX.

556
Views
0
Helpful
2
Replies
CreatePlease login to create content