Question about NAT (maybe need to use policy NAT)?


This is what I was thinking of doing:

Router: interface Ethernet0 ip address xx.xx.xx.209

interface Dialer0 ip address negotiated (receives WAN static)


interface vlan2 nameif outside security-level 0 ip address xx.xx.xx.210

interface vlan1 nameif inside ip address security-level 100

global (outside) 1 interface global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask nat (inside) 1 0 0

route outside xx.xx.xx.209 1 (can this go in the outside interface definition?) access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host eq 25

static (inside,outside) xx.xx.xx.211 netmask

What I want to achieve with this is the following:

- All outgoing connections from anything on is presented to the outside on xx.xx.xx.209.

- I have some server on which I want presenting to the outside world on xx.xx.xx.211.

- I want people to connect to the IP address xx.xx.xx.211 on port 25 and they will be connected to this server.

Will this do it?

The other way I was looking at it was this:

global (outside) 1 interface global (outside) 2 xx.xx.xx.211 nat (inside) 1 0 0 nat (inside) 2 access-list mail_server

access-list mail_server extended permit tcp any host eq 25

I also have some IP addresses with no inbound connections, but I need to ensure that they present on the outside using a specific IP address.

Any help would be gratefully received.

Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

I'm not sure what you mean by " All outgoing connections from anything on is presented to the outside on xx.xx.xx.209."

Your config will route all traffic to xx.xx.xx.209, but will be presented as xx.xx.xx.11-xx.xx.xx.222 then PAT'd xx.xx.xx.210. So based on the Static the first 212 host will get a 1 to 1 nat then port level pat after that.

On the access list, you will want to specify the public ip as the destination. It is applied before the NAT changes to the private address. The second example may have unintended consequences.

I would use my recommendations and modify the first config. Also, the second config shows 211 as the start of the NAT range where the first one shows 11.

Reply to

Oops, that should have been xx.xx.xx.210. I.e, the firewall outside interface.

Ok. I want to get rid of the NAT, so that we just have the PAT for xx.xx.xx.210 for anything going outside other than a few IP addresses, which will be natted to specific public IP addresses.

Ok, that makes a bit more sense. If I change:


Then have this:

Will this work?

If so, will the following NAT commands be sufficient:

211 is the correct number - my bad again.

Thanks. Andrew.

Reply to
Andrew Hodgson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.