Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static NAT & Dynamic NAT Together

Status
Not open for further replies.
marshyrob

marshyrob

Technical User
Jan 20, 2004
137
0
0
GB
Hello

I have a situation where i have had to define a static one to one NAT entry for a host to be able to access a certain application. This works fine.

My issue is that this host also needs access to other applications that only allow specific addresses to connect. These are defined in a NAT pool. My host is being denied access to these other apps as its not being dynamically NAT'ed to one of the addresses in the pools because of the static NAT entry.

How can i get around this as i need the static one to one NAT entry AND the dynamic NAT working?

Are sub interfaces my only way forward?

Any help would be appreciated.
 
Sort by date Sort by votes
I don't think what you are saying is the issue...it sounds like something else. Please post a config, and post what IP needs to do what.

Burt
 
Upvote 0 Downvote
Hi Burtsbees

Here are snippets with the IP's changed.

ip nat pool FTP-PROD-POOL 1.1.1.1 1.1.1.10 prefix-length 24
ip nat pool APP-PROD-POOL 2.2.2.2 2.2.2.10 prefix-length 24
ip nat inside source route-map FTP-PROD-NAT pool FTP-PROD-POOL overload
ip nat inside source route-map APP-PROD-NAT pool APP-PROD-POOL overload
!
!
ip nat inside source static 192.168.1.1 2.2.2.11
!
!
!
access-list 101 remark APP-PROD-NAT
access-list 101 permit ip 192.168.0.0 0.0.255.255 host 172.20.1.1
access-list 102 remark FTP-PROD-NAT
access-list 102 permit ip 192.168.0.0 0.0.255.255 host 172.20.1.2
!
!
route-map FTP-PROD-NAT permit 10
match ip address 102
!
!
route-map APP-PROD-NAT permit 10
match ip address 101

So basically my host 192.168.1.1 has a static 1-2-1 NAT configured to allow it to access a specific server. But if my host needs to access the FTP server 172.20.1.2, it needs to be NAT'ed via the FTP-PROD-POOL, but the 1-2-1 NAT entry prevents this from happening. Does this make sense?

Thanks

Rob
 
Upvote 0 Downvote
so anything that comes in on your outside interface destined for 2.2.2.11 will be natted to 192.168.1.1

so are you sure that maybe your host isn't being translated to 2.2.2.11 and that you will need to allow that host into you acls?

i would add a deny any log to the end of that acl just to see whats being blocked.
 
Upvote 0 Downvote
Nothing initiated from the outside coming inbound is allowed as we have ACL's and CBAC controlling outgoing and incoming traffic.

My host 192.168.1.1 is natted to 2.2.2.11 when it goes outbound to a server on another network (thats the static nat). But when it needs to access another resource say the FTP server this server is expecting addresses in the range of its nat pool 1.1.1.1 - 1.1.1.10 but becuase i have a static entry for my host to be natted to 2.2.2.11, everytime it goes outbound it is not getting natted to a valid address to access FTP.

I need to understand how i can get around this as the static translation is needed but i also need the host to be able to be dynamically natted to.

Does that make any sense?
 
Upvote 0 Downvote
i think i have working what you want.. and the only difference is that i have extendable at the end of my nat statements..

here is cisco's explanation on it

[quote
Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.
[/quote]

 
Upvote 0 Downvote
Hi plshlpme

Really appreciate your help on this and thanks for finding the info out, it would actually work except for one thing.

If my understanding is correct the extendable statement allows the static host entry to be natted to multiple addresses.

So in my example:

ip nat inside source static 192.168.1.1 2.2.2.11 extendable
ip nat inside source static 192.168.1.1 2.2.2.12 extendable
ip nat inside source static 192.168.1.1 2.2.2.14 extendable

and so on.

There are probably 30-40 hosts that this config would apply to. I have 3 NAT pools that are related to 3 different apps servers that expect communication on certain IPS. 30-40 hosts can access any 3 of the apps at any time so im looking at about 120 NAT extendable statements on my router.

Have i understood this correctly?
 
Upvote 0 Downvote
i think your nat statements you currently have are fine.. just add extendable to the

ip nat inside source static 192.168.1.1 2.2.2.11

..

the only reason youde have to make more statements is if this scenario existed for more hosts.

do you have more static 1-2-1 nats that you excluded in this post?

i have a similar scenario.. all my traffic appears as .2 for example.. but if the destination is port 25 for smtp traffic my nat rules make sure that it appears as .3


without extendable i think your router is not allowing your 192.168.1.1 host to have any more translsations other then the static entry.


 
Upvote 0 Downvote
So would my host still use the NAT pool if it were accessing the FTP server rather than using its static 1-2-1 entry for the APP site if i added the extendable to the static entry.

So if accessing the APP server my host gets natted to 192.168.1.1 2.2.2.11

But if accessing the FTP server my host uses the pool and gets natted to an address in the range 1.1.1.1 1.1.1.10 ?
 
Upvote 0 Downvote
Do you have more than one FTP server? You have to be careful with that and CBAC---CBAC relies on what is in its PAM database---you would have to let PAM know about any other FTP ports.

Burt
 
Upvote 0 Downvote
Hi Burtsbees

Sorry for not replying ive been on annual leave!

We dont use more than one FTP server but we rely on NAT to access different servers.

So one server hosts an application that users use
the other server is a FTP server that the technical teams use. the other is a call recording server.

So my problem is that for the call recording to work i have to define a 1-2-1 NAT entry so that the server can initiate a conection back in. But by adding this 1-2-1 entry i cannot access the FTP server or the application server as they also require NAT, we use NAT pools for this. With a 1-2-1 entry defined for my host, how will it also use the NAT pools that have a different address range assigned to them?

Any help is appreciated.

Rob
 
Upvote 0 Downvote
So to clarify all this nating is taking place on your local network? The router processes Nat in sequential order and the first match that it makes is the one that is processed.
 
Upvote 0 Downvote
Yes the NAT statements are on the router on our Network. This then allows our private addressing access onto a partners network by being NATTED to one of their private addresses.

 
Upvote 0 Downvote
im still trying to get my head around what your doing...

i think your static nat may need a route-map on it as well.


that means multiple nat entries per host if you have more that require this access though...

something like

access-list 103 remark CATCH-ALL
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
no ip nat inside source static 192.168.1.1 2.2.2.11
ip nat inside source static 192.168.1.1 1.1.1.1 route-map FTP-PROD-NAT extendable
ip nat inside source static 192.168.1.1 2.2.2.1 route-map FTP-APPS-NAT extendable
ip nat inside source static 192.168.1.1 2.2.2.11 route-map
CATCH-ALL extendable

route-map CATCH-ALL permit 10
match ip address 103
Click to expand...

catch all route-map would be a permit any any type of scenario so you would want it last in the nat entries for that host..

let me know if that helps at all??

i still dont understand why you need the static nat on that host.. does it host a service that other people need to get to?
 
Upvote 0 Downvote
Thanks for your help plshlpme

The Host needed the static entry as when it was left with using a pool it would not work. We added a static entry and it worked. We think its because the application that the host is contacting (Witness call recording server) initiates a connection back in while the translation is in place already.

I dont fully understand but the only way we could get it working was with the static entry, but like ive said adding that now only allows that host to NAT to the static entry address, but it also needs to access other servers and we use NAT pools for this.

I will try the example you have kindly provided and let you know.

Many thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

inlsp05
  • Locked
  • Question
2811&2960 48 volts wiring diagram
Replies
1
Views
62
BOKA
BOKA
bmiller23
  • Locked
  • Question
Issues Between Cisco Network & NVT Phybridge POLRE 8 Port Extender
Replies
13
Views
156
VinceWhirlwind
VinceWhirlwind
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
43
darktriad
darktriad
netguy2000
  • Locked
  • Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
25
netguy2000
netguy2000
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
112
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top