Identity NAT/PAT, 2 interface, same major network - Walter Roberson,

Discussion in 'Cisco' started by Cisco Guy, Jul 21, 2005.

  1. Cisco Guy

    Cisco Guy Guest

    Hello,

    I'd appreciate a sanity check! :) Here goes:

    - 10.0.0.0/8 behind the INSIDE interface
    - Access to vendor host (200.x.x.x address) via a DMZ interface
    - Currently, identity NAT is setup as INSIDE (10.0.0.0/8) -> DMZ
    (10.0.0.0/8)

    Requirements:

    - Vendor requires endpoints accessing their host (200.x.x.x) to appear
    from a single subnet (10.1.1.0 /24)
    - My endpoints live in the 10.1.1.0 /24 (5 hosts) subnet and 10.2.1.0
    /24 (2 hosts) subnets

    Could I simpy do the following?

    - Remove the 10.0.0.0/8 identity NAT statement.
    - Create a new identity NAT statement for 10.1.1.0/24. I still need to
    do identity NAT since I have other endpoints accessing other devices on
    that DMZ segment.
    - Create a dynamic NAT (PAT) statement for the 10.2.1.0/24 subnet that
    points to an address in the 10.1.1.0/24 network (such as 10.1.1.10).
    - The PAT address would be assigned a pool ID and to the DMZ interface.

    When I've tried this, I don't seem to have any luck. I assume that the
    PIX is having issues with the identity NAT statement and the dynamic NAT
    (PAT) statements since the PAT address is in the range of the identity
    NAT statement?

    Thanks for any input!
     
    Cisco Guy, Jul 21, 2005
    #1
    1. Advertising

  2. Cisco Guy

    rave Guest

    Re: Identity NAT/PAT, 2 interface, same major network - Walter Roberson, you there? :)

    What best you can do is not to nat the traffic with the same subnet as
    inside but with some other subnet like 10.100.1.0. What you need is
    policy based nat:

    access-list policy permit 10.1.1.0 255.255.255.0 200.0.0.0 255.0.0.0
    access-list policy permit 10.2.1.0 255.255.255.0 200.0.0.0 255.0.0.0

    nat (inside) 100 access-list policy
    global (dmz) 100 10.100.1.0 255.255.255.0

    you have to specify in the acess-list applied on inside interface what
    particular ip's are allowed.

    In this way you will not mess up with the static identity nat as well
     
    rave, Jul 21, 2005
    #2
    1. Advertising

  3. Cisco Guy

    Cisco Guy Guest

    rave wrote:
    > What best you can do is not to nat the traffic with the same subnet as
    > inside but with some other subnet like 10.100.1.0. What you need is
    > policy based nat:
    >
    > access-list policy permit 10.1.1.0 255.255.255.0 200.0.0.0 255.0.0.0
    > access-list policy permit 10.2.1.0 255.255.255.0 200.0.0.0 255.0.0.0
    >
    > nat (inside) 100 access-list policy
    > global (dmz) 100 10.100.1.0 255.255.255.0
    >
    > you have to specify in the acess-list applied on inside interface what
    > particular ip's are allowed.
    >
    > In this way you will not mess up with the static identity nat as well
    >

    Thanks for the info...I was wondering if that was the issue. I was also
    reviewing the policy NAT docs and wondering if that was the direction to
    take. It appears that it might be easier to simply NAT to another subnet
    and be done with it!

    Thanks again for your response!
     
    Cisco Guy, Jul 23, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BitBucket

    Walter Roberson...HELP!

    BitBucket, Oct 21, 2003, in forum: Cisco
    Replies:
    5
    Views:
    507
    Mike Gallagher
    Oct 23, 2003
  2. Andrea
    Replies:
    0
    Views:
    907
    Andrea
    Apr 19, 2004
  3. Kenny D

    Identity Nat v Exemption NAT

    Kenny D, May 8, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,115
    Walter Roberson
    May 8, 2004
  4. Jem Berkes

    Attn: Walter Roberson

    Jem Berkes, Dec 12, 2004, in forum: Cisco
    Replies:
    1
    Views:
    498
    Walter Roberson
    Dec 12, 2004
  5. HAIFA-ZAKARIA
    Replies:
    0
    Views:
    433
    HAIFA-ZAKARIA
    May 29, 2007
Loading...

Share This Page