Best Practice many to many NAT

Unanswered Question
Apr 16th, 2009
User Badges:

I ahve a ASA 5510. We have a vendor that is requiring us to NAT 50 internal IPs to 50 of their IPs. We did static 1 to 1 NAT for a couple of these and yes it works....but 50 static 1 to 1 NAT statements...is there a better way. We can only change the config on our side they will not change anything on their side...please some advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Luis Melendrez Thu, 04/16/2009 - 13:01
User Badges:

You can still use static NAT but this time include the network instead of 1:1 IP address


static (real_ip,mapped_ip) real_ip mapped_ip netmask mask


static (inside,outside) 192.168.10.0 67.148.xx.xx netmask 255.255.255.0

agrayson@langle... Thu, 04/16/2009 - 13:18
User Badges:

Thanks

But we have 50 different IPs no all same subnet that will natted be mapped to 50 different IPs on same subnet

lrm001c474 Thu, 04/16/2009 - 13:04
User Badges:

As far as I know, you have to do the individual entries.


Never Mind^

Collin Clark Thu, 04/16/2009 - 13:09
User Badges:
  • Purple, 4500 points or more

I don't currently have an ASA in the lab to test, but you should be able to do something like this-


global (vendor) 30 10.1.1.1-10.1.1.1.50 netmask 255.255.255.0

nat (inside) 30 access-list VENDOR

access-list VENDOR standard permit host 192.168.1.10

access-list VENDOR standard permit host 192.168.1.11

etc...


The 10.1.1.x addresses is the vendor IP's you need to translate to and the 192.168.1.x would be your internal IP's.

agrayson@langle... Thu, 04/16/2009 - 13:12
User Badges:

Thanks for the reply but let me be more specific....ie

192.168.10.1 NAT 10.100.100.1

192.168.26.5 NAT 10.100.100.2


so our inside IPS are all different and so are theres


but if I NAT them they will not see our inside IP correct?



Collin Clark Thu, 04/16/2009 - 13:18
User Badges:
  • Purple, 4500 points or more

Correct. The ACL will list your internal IP's that should be mapped to the vendors IPs. The global NAT pool will assign an IP when one of the users from the ACL goes out the vendor interface. Your ACL would look like this-


access-list VENDOR standard permit host 192.168.10.1

access-list VENDOR standard permit host 192.168.26.5


The global would be-


global (vendor) 30 10.100.100.1-10.100.100.50 netmask 255.255.255.0

agrayson@langle... Thu, 04/16/2009 - 13:22
User Badges:

Thanks

But we have 50 different IPs no all same subnet that will natted be mapped to 50 different IPs on same subnet IE


xxx.aaa.21.102 10.222.xxx.193

xxx.aaa.37.100 10.222.xxx.194

xxx.aaa.21.101 10.222.xxx.195

xxx.aaa.16.92 10.222.xxx.196

xxx.aaa.18.100 10.222.xxx.197


Collin Clark Thu, 04/16/2009 - 13:23
User Badges:
  • Purple, 4500 points or more

Doesn't matter if they are contiguous or not.

Luis Melendrez Thu, 04/16/2009 - 13:18
User Badges:

"if I NAT them they will not see our inside IP correct?"


Correct.


If your inside IPs are all different and they don't follow a pattern, at least some blocks, your only option is to do one by one.

Actions

This Discussion