Question about NAT (maybe need to use policy NAT)?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Andrew Hodgson on June 30, 2008, 6:09 pm
Please log in for more thread options This is what I was thinking of doing: Router: interface Ethernet0 ip address xx.xx.xx.209 255.255.255.240 interface Dialer0 ip address negotiated (receives WAN static) Firewall: interface vlan2 nameif outside security-level 0 ip address xx.xx.xx.210 255.255.255.240 interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 global (outside) 1 interface global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240 nat (inside) 1 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the outside interface definition?) access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25 static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240 What I want to achieve with this is the following: - All outgoing connections from anything on 192.168.1.0/24 is presented to the outside on xx.xx.xx.209. - I have some server on 192.168.1.10 which I want presenting to the outside world on xx.xx.xx.211. - I want people to connect to the IP address xx.xx.xx.211 on port 25 and they will be connected to this server. Will this do it? The other way I was looking at it was this: global (outside) 1 interface global (outside) 2 xx.xx.xx.211 255.255.255.240 nat (inside) 1 0 0 nat (inside) 2 access-list mail_server access-list mail_server extended permit tcp any host 192.168.1.10 eq 25 I also have some IP addresses with no inbound connections, but I need to ensure that they present on the outside using a specific IP address. Any help would be gratefully received. Thanks. Andrew. | |||||||||||||
|
Posted by PacketU on June 30, 2008, 8:13 pm
Please log in for more thread options 192.168.1.0/24 is presented to the outside on xx.xx.xx.209." Your config will route all traffic to xx.xx.xx.209, but will be presented as xx.xx.xx.11-xx.xx.xx.222 then PAT'd xx.xx.xx.210. So based on the Static the first 212 host will get a 1 to 1 nat then port level pat after that. On the access list, you will want to specify the public ip as the destination. It is applied before the NAT changes to the private address. The second example may have unintended consequences. I would use my recommendations and modify the first config. Also, the second config shows 211 as the start of the NAT range where the first one shows 11. | |||||||||||||
|
Posted by Andrew Hodgson on July 1, 2008, 1:18 pm
Please log in for more thread options wrote:
>I'm not sure what you mean by " All outgoing connections from anything on
>192.168.1.0/24 is presented to the outside on xx.xx.xx.209." Oops, that should have been xx.xx.xx.210. I.e, the firewall outside interface. >
>Your config will route all traffic to xx.xx.xx.209, but will be presented as >xx.xx.xx.11-xx.xx.xx.222 then PAT'd xx.xx.xx.210. So based on the Static the >first 212 host will get a 1 to 1 nat then port level pat after that. Ok. I want to get rid of the NAT, so that we just have the PAT for xx.xx.xx.210 for anything going outside other than a few IP addresses, which will be natted to specific public IP addresses. >On the access list, you will want to specify the public ip as the
>destination. It is applied before the NAT changes to the private address. >The second example may have unintended consequences. Ok, that makes a bit more sense. If I change: >> access-list outside_access_in extended permit tcp any host
>> 192.168.1.10 eq 25 to: >> access-list outside_access_in extended permit tcp any host
>> xx.xx.xx.211 eq 25 Then have this: >> static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask
>> 255.255.255.240 Will this work? If so, will the following NAT commands be sufficient: >> global (outside) 1 interface
>> nat (inside) 1 0 0 >I would use my recommendations and modify the first config. Also, the
>second config shows 211 as the start of the NAT range where the first one >shows 11. 211 is the correct number - my bad again. Thanks. Andrew. | |||||||||||||
| Similar Threads | Posted |
| ASA Policy NAT Question | September 14, 2006, 9:12 am |
| Question about NAT (maybe need to use policy NAT)? | June 30, 2008, 6:09 pm |
| policy route-map question | January 11, 2007, 10:54 am |
| Policy Based Routing Question | November 13, 2005, 7:38 pm |
| Policy Routing: Guaranteeing Bandwidth Question | March 27, 2007, 11:23 pm |
| policy based routing for multiple tracking options question | April 9, 2006, 8:42 pm |
| route-map question (how to policy route for all destinations except few subnets?) | August 13, 2005, 2:05 am |
| PIX Policy-NAT | October 17, 2005, 10:50 am |
| Policy NAT | October 15, 2007, 9:06 am |
| GRE & Policy Routing | July 28, 2005, 8:46 am |
| Service Policy | October 13, 2005, 7:41 am |
| ASA Policy NAT not working at all... | September 14, 2006, 11:58 am |
| Traffic policy. | October 2, 2006, 9:04 am |
| Cisco 877 - Policy Map | December 11, 2006, 1:59 pm |
| IOS Upgrading "Policy" | November 20, 2007, 9:33 pm |
>
> This is what I was thinking of doing:
>
> Router:
> interface Ethernet0
> ip address xx.xx.xx.209 255.255.255.240
>
> interface Dialer0
> ip address negotiated (receives WAN static)
>
> Firewall:
>
> interface vlan2
> nameif outside
> security-level 0
> ip address xx.xx.xx.210 255.255.255.240
>
> interface vlan1
> nameif inside
> ip address 192.168.1.1 255.255.255.0
> security-level 100
>
> global (outside) 1 interface
> global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240
> nat (inside) 1 0 0
>
> route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the
> outside interface definition?)
> access-group outside_access_in in interface outside
>
> access-list outside_access_in extended permit tcp any host
> 192.168.1.10 eq 25
>
> static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask
> 255.255.255.240
>
> What I want to achieve with this is the following:
>
> - All outgoing connections from anything on 192.168.1.0/24 is
> presented to the outside on xx.xx.xx.209.
> - I have some server on 192.168.1.10 which I want presenting to the
> outside world on xx.xx.xx.211.
> - I want people to connect to the IP address xx.xx.xx.211 on port 25
> and they will be connected to this server.
>
> Will this do it?
>
> The other way I was looking at it was this:
>
> global (outside) 1 interface
> global (outside) 2 xx.xx.xx.211 255.255.255.240
> nat (inside) 1 0 0
> nat (inside) 2 access-list mail_server
>
> access-list mail_server extended permit tcp any host
> 192.168.1.10 eq 25
>
> I also have some IP addresses with no inbound connections, but I need
> to ensure that they present on the outside using a specific IP
> address.
>
> Any help would be gratefully received.
>
> Thanks.
> Andrew.