static policy nat dynamic policy nat

Static Policy NAT / Dynamic Policy NAT Conundrum It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT), the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address). For example, my Cisco ASA 5505 took gave no errors when I entered the following: Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address) access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105 static (inside,outside) 192.168.1.253 access-list staticPOLICYnat The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105 Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253. However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat). But I have not been able to get that to work. For example, entering the following provided me with the "global address overlaps with mask" error. Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address) access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105 static (inside,outside) 192.168.1.253 access-list staticPOLICYnat The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask" In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address. Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address) access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105 nat (inside) 2 access-list staticPOLICYnat global (outside) 2 192.168.1.253 Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:

Upload: hai-pham-van

Post on 21-Oct-2015

19 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Static Policy NAT Dynamic Policy NAT

Static Policy NAT / Dynamic Policy NAT Conundrum

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT), the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of

addresses used for translation (which is only 1 address).

For example, my Cisco ASA 5505 took gave no errors when I entered the following:

Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105static (inside,outside) 192.168.1.253 access-list staticPOLICYnat

The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2

attempts connections to 74.125.45.105Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.

However, in the past I also wondered if I could translate more than one real addresses and map them to one global

address using the ACL and static nat combo (which amounts to static policy nat). But I have not been able to get that to work. For example, entering the following provided me with the "global address overlaps with mask" error.

Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of

multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105static (inside,outside) 192.168.1.253 access-list staticPOLICYnat

The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"

In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate

multiple "real" ip addresses to a single mapped/translated address.

Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnatglobal (outside) 2 192.168.1.253

Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:

Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services. This is beneficial in that one would not need to configure static ip

addresses just so that the other site's firewall allows the clients to traverse into their network.

If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.

Best Regards,David- See more at: https://supportforums.cisco.com/thread/1002730#sthash.JhiAeEBR.dpuf

Lab 5.3.8 Configuring PAT with SDM and Static NAT using Cisco IOS Commands

CLI Book 2: Cisco ASA Series Firewall CLI Configuration ... · Static NAT 4-3 Dynamic NAT 4-7 Dynamic PAT 4-8. Contents v Cisco ASA Series Firewall CLI Configuration Guide Identity

IP Routing Featureswhp-aus2.cold.extweb.hp.com/pub/networking/software/6400... · 2006-09-07 · Configuring Static NAT ... following IP routing features, as noted: IP Static Routes

Quick Start Guide ETHERLINE ACCESS NF04T · the time behavior of the machine network is not impaired by the production network. Basic NAT, also known as “1:1 NAT” or “Static

Chapter 8210.70.254.122/chingyu/RoutingProt-Ch8.pdf · 5Dynamic NAT with overload Network Address Translation ... Configuring Static NAT Configure NAT ... Router(config)# ip nat pool

North Atlantic Performance Trends and NAT Documents/NAT Docume… · • Growth in Uncertain Times 2 Economic Outlook Policy Challenges Industry Challenges Operational Outlook . Federal

Configuring Static NAT - cisco.com · 6 OL-27854-02 Configuring Static NAT Enabling Static NAT for an Outside Source Address. ThisexampleshowshowtomapUDPservicestoaspecificinsidesourceaddressandUDPport:

Nat Rehab Policy

TP NAT NAT