NAT inbound 2 IPs to 1 internal IP, possible?

Answered Question
Feb 2nd, 2010
User Badges:

I just wanted to double check before giving up.  There is a server on the DMZ that only supports a single IP address.  My client wants to translate 2 public IPs to this one IP on the DMZ.  Is that possible?

Correct Answer by JORGE RODRIGUEZ about 7 years 5 months ago

Chuck,


As I read your requirements:


I just wanted to double check before giving up.  There is a server on the DMZ that only supports a single IP address.  My client wants to translate 2 public IPs to this one IP on the DMZ.  Is that possible?


It is possible by working it around it using policy nat.


example:


say your server in dmz   ip is  50.50.50.50, and your two public IPs are 20.20.20.20 and 20.20.20.21, and lets say service port tcp  80 for inbound access using any public IP in this example will funnel the traffic to 50.50.50.50 on port 80,  you can apply same principle for different tcp ports or more public IP addresses etc..



access-list policy_nat_http1 extended permit ip host 50.50.50.50 any
access-list policy_nat_http2 extended permit ip host 50.50.50.50 any


static (dmz,outside) 20.20.20.20 access-list policy_nat_http1
static (dmz,outside) 20.20.20.21 access-list policy_nat_http2


access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 80 log
access-list outside_access_in extended permit tcp any host 20.20.20.21 eq 80 log



hope this helps a bit



Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
qbakies11 Tue, 02/02/2010 - 12:44
User Badges:

I'm not 100% certain but I was trying to do this last summer and couldn't find any way to do it.  All the documentation I was able to find stated static mappings were only able to be 1-to-1.

chuck007 Tue, 02/02/2010 - 14:18
User Badges:

Yip, I arrived at the same conclusion as the ASA/PIX primarily looks at source/destination and port to match up on the NAT table.  I think in order for this to work in theory, the firewall (maybe Linux) will have to keep track of additional properties of the packet so the return packets from the internal single IP host can be separated into two distinct conversation streams.  I guess as long as the firewall can distinguish or tag the two streams it may work.


Existing Cisco ASA (not permitted and does not work):


200.200.200.10:2000 ==> 10.10.10.10:80

10.10.10.10:80 ==> 200.200.200.10:2000


200.200.200.11:2000 ==> 10.10.10.10:80

10.10.10.10:80 ==> 200.200.200.10:2000 (second IP/stream fails because ASA only permits 1:1 NAT)





Theoretical firewall NAT:


200.200.200.10:2000+StreamTag1 ==> 10.10.10.10:80+StreamTag1

10.10.10.10:80+StreamTag1 ==> 200.200.200.10:2000+StreamTag1


200.200.200.11:2000+StreamTag2  ==> 10.10.10.10:80+StreamTag2

10.10.10.10:80+StreamTag2 ==> 200.200.200.11:2000+StreamTag2


With some kind of a packet stream tagging or the firewall is able to some how separate the two streams regardless of the IP and port, this NAT might be possible.  Perhaps a Linux firewall that looks at more than just IP and port may work.  Maybe Cisco can add this as a feature enhancement?


I'm still researching and will post if I find something.


--chuck

chuck007 Tue, 02/02/2010 - 17:26
User Badges:

Ok, I think I found a solution, but you'll have to place the server behind a load balancer (like F5 BigIPs).


Web----FW----LB----Server


Do the NAT on your firewall as you normally would:
200.200.200.10 = 10.10.10.10
200.200.200.11 = 10.10.10.11


On the load balancer create two virtual servers pointing to the same pool IPs:
VS1: 10.10.10.10 >> 172.16.1.10
VS2: 10.10.10.11 >> 172.16.1.10


I think the load balancer uses a combination of source and destination SNATs to track the separate streams thus making this possible.  This ability is not implemented in the Cisco ASA/PIX.  Maybe it has security implications if used at the firewall level.  Oh well.


--chuck

Kureli Sankar Tue, 02/02/2010 - 17:43
User Badges:
  • Cisco Employee,

That is correct. You cannot do this on the ASA. You will get an error message.

ERROR: duplicate of existing static. There are other Cisco products that do this.


-KS

Correct Answer
JORGE RODRIGUEZ Tue, 02/02/2010 - 18:42
User Badges:
  • Green, 3000 points or more

Chuck,


As I read your requirements:


I just wanted to double check before giving up.  There is a server on the DMZ that only supports a single IP address.  My client wants to translate 2 public IPs to this one IP on the DMZ.  Is that possible?


It is possible by working it around it using policy nat.


example:


say your server in dmz   ip is  50.50.50.50, and your two public IPs are 20.20.20.20 and 20.20.20.21, and lets say service port tcp  80 for inbound access using any public IP in this example will funnel the traffic to 50.50.50.50 on port 80,  you can apply same principle for different tcp ports or more public IP addresses etc..



access-list policy_nat_http1 extended permit ip host 50.50.50.50 any
access-list policy_nat_http2 extended permit ip host 50.50.50.50 any


static (dmz,outside) 20.20.20.20 access-list policy_nat_http1
static (dmz,outside) 20.20.20.21 access-list policy_nat_http2


access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 80 log
access-list outside_access_in extended permit tcp any host 20.20.20.21 eq 80 log



hope this helps a bit



Regards

chuck007 Tue, 02/02/2010 - 20:01
User Badges:

Jorgemcse,


This looks like what I am searching for.  I think it may work and I don't have to get additional equipment.  I will setup a lab and test it out.  Thanks.


--chuck

Kureli Sankar Tue, 02/02/2010 - 20:19
User Badges:
  • Cisco Employee,

Chuck,

This is a hack the firewall may take the lines but, it will not work. Think about this both translations are in the table.


Request comes in for the second IP and the response from the server may take the first translation in the table. Test it out.


-KS

JORGE RODRIGUEZ Tue, 02/02/2010 - 20:31
User Badges:
  • Green, 3000 points or more

KS,


Not really clear what you mean this is a hack - It will work, this is a  policy nat process. 

JORGE RODRIGUEZ Tue, 02/02/2010 - 21:04
User Badges:
  • Green, 3000 points or more



Chuck   thanks for the nice rating, I garantee you inbound  connections will work using both public IPs towards dmz host the way  provided in example , this is not the case for outbound , outbound will always pick  the fist nat..  


I disagree with KS saying inbound will come in one IP and go out dfferent IP,  firewall is statefull so this is unlikely to happen.


Regards

Actions

This Discussion