[nsp] Poking through NAT
Paul van der Zel
paul at is.co.za
Wed Apr 28 01:17:51 EDT 2004
On Mon, Apr 26, 2004 at 02:55:45PM -0700, Christopher J. Wolff wrote:
> Hello,
>
> If I have a system behind an inside nat interface, and I want to access that
> system's private IP from outside an outside nat interface, do I have any
> other options other than a static nat entry or a GRE tunnel?
>
> In other words, is it possible to make a Loopback interface or a
> subinterface a NAT outside interface which leaves a direct route from the
> outside to the internal IP's behind the NAT inside?
>
> I read about Cisco's "Nat on a Stick" which seems to be headed in the right
> direction; however, at this point nat on a stick doesn't offer the solution
> I'm seeking. I suppose that a third option would be to deny the specific
> private host addresses from the NAT ACL, which eliminates the benefits of
> DHCP.
>
not certain of your particular requirements / network setup, however, I would set aside a portion of
the dhcp scope towards hosts such as these that require consistent address allocation, and make this
provision in your dhcp server accordingly. This way your host would always get the same inside IP
without forfeiting the benefits of dhcp. If you're using a cisco router as dhcp server for e.g.
ip dhcp pool STATICHOST
host n.n.n.n m.m.m.m
client-identifier 01xx.xxxx.xxxx.xx
client-name STATICHOST
domain-name mydomain.com
default-router y.y.y.y
dns-server x.x.x.x z.z.z.z etc
Now the static nat entry and appropriate firewall permissions are all that would be required.
hth
--
Paul
More information about the cisco-nsp
mailing list