NAT problem: One to many?

Unanswered Question
Apr 21st, 2010
User Badges:

*this is all in a test environment*


I have an ASA 5505. One of the interfaces has IP 10.3.0.1. Behind that is a server with IP 10.3.0.2.


The outside interface of the ASA has IP 10.0.0.1, to which 2 branchoffices are connected.(Two other ASA 5505's with IP 10.1.0.2 and 10.1.0.3 on outside)

Now I need to NAT 10.3.0.2 to make it appear on the outside as if it has 2 IP addresses, like 10.4.0.1 and 10.4.0.2.


That way both branchoffices have a different IP to connect to, while still arriving at the same server.

How can i accomplish this?


So ASA 10.1.0.2 would connect towards 10.4.0.1 and 10.1.0.3 would connect towards 10.4.0.2.


Both connection would arrive at the server at 10.3.0.1.


How do i accomplish that?


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Wed, 04/21/2010 - 02:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

StanDamen wrote:


*this is all in a test environment*


I have an ASA 5505. One of the interfaces has IP 10.3.0.1. Behind that is a server with IP 10.3.0.2.


The outside interface of the ASA has IP 10.0.0.1, to which 2 branchoffices are connected.(Two other ASA 5505's with IP 10.1.0.2 and 10.1.0.3 on outside)

Now I need to NAT 10.3.0.2 to make it appear on the outside as if it has 2 IP addresses, like 10.4.0.1 and 10.4.0.2.


That way both branchoffices have a different IP to connect to, while still arriving at the same server.

How can i accomplish this?


So ASA 10.1.0.2 would connect towards 10.4.0.1 and 10.1.0.3 would connect towards 10.4.0.2.


Both connection would arrive at the server at 10.3.0.1.


How do i accomplish that?


Thanks in advance!


Stan


I don't have a firewall to test with so this may not work but try this config -


Branch1 = 192.168.5.0/24

Branch2 = 192.168.6.0/24


access-list B1 permit ip host 10.3.0.2 192.168.5.0 255.255.255.0

access-list B2 permit ip host 10.3.0.2 192.168.6.0 255.255.255.0


static (inside,outside) 10.4.0.1 access-list B1

static (inside,outside) 10.4.0.2 access-list B2


Jon

StanDamen Wed, 04/21/2010 - 03:48
User Badges:

And if branchoffice A and B both use range 192.168.5.0/24?


Ill try this out anyway to see if i can get it to work, but i dont think it will with same ranges for branch office.

StanDamen Wed, 04/21/2010 - 04:14
User Badges:

Yes i realise that, which is why i need to change one IP into many so i can route all those IP's outside. 1 to each branch office.


Stan

Hi,


Actually the apps IP behind the FW can be a single IP for both branches since the routing is done (normally) on destiantion basis. The thing is from the FW to the branch the WAN router needs to know where to find the branch.


So for branches you need different subnets for application you can use the same IP (or different if you like).


Otherwise what Jon wrote is correct. I'm using a similar setup with ploicy NAT and it works fine. You can narrow the ports in the NAT statement to translate only the specific application port. With that you can further improve security.


Hope it helps, rate if does

Krisztian

droeun141 Wed, 04/21/2010 - 04:50
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

2 different IP's with the same policy is ambiguous when sourcing from the inside.  Don’t think it will work without giving you a headache.

StanDamen Wed, 04/21/2010 - 05:09
User Badges:

@droeun141: Its not the headache has already arrived


@krisztian: The problem is probably best explained with example like this.


IP 192.168.0.1 from BranchOffice1 connects to the server 10.10.10.10 behind the FW.

192.168.0.1 exists in both branchoffice 1 and 2.

10.10.10.10 wants to reply to 192.168.0.1 from BO1. the FW however does not know which 192.168.0.1 to choose.


If 10.10.10.10 would be 10.20.20.1 for BO1, and 10.20.20.2 for BO2, FW would know the route back.


But that last bit i cant accomplish for some reason

droeun141 Wed, 04/21/2010 - 05:12
User Badges:

Translate the overlapping addresses (192.168.0.1) at one of the branches.  That way when it leaves it will be seen as something different.

Hi,


As I told you the routing is done on destination basis. So even if the packet received with different destination IP on the FW but with the same source the FW will route back the packet to the source based on the same routing information.

So once the FW replies to 192.168.0.1 it will always send the packet to the same next-hop no matter on which IP the packet was received.

That's why your two branch should have different range.

So it is better to renumber one of the BOs or use NAT at one of the BOs.


Hope it clarifies, rate if does

Krisztian

StanDamen Wed, 04/21/2010 - 06:58
User Badges:

The solution to this turned out to be tricky but i figured it out.


What it was:


You have:


Server = 10.3.0.1

Client1 at BO1 = 192.168.0.1

Client2 at BO2 = 192.168.0.1


What you do is at the firewall make 2 static NAT policies.


192.168.0.1 from BO1 gets changed into 10.4.0.1 when destination is 10.3.0.1

10.3.0.1 gets changed into 10.5.0.1 if destination is 10.4.0.1


192.168.0.1 from BO2 gets changed into 10.4.0.2 when destination is 10.3.0.1

10.3.0.1 gets changed into 10.5.0.2 if destination is 10.4.0.2


10.5.0.1 and 10.5.0.2 are then added to ACL's linked to the specific branch office, and voila it works!


Thanks for thinking with me though!

Actions

This Discussion

Related Content