cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2569
Views
12
Helpful
10
Replies

NAT problem: One to many?

StanDamen
Level 1
Level 1

*this is all in a test environment*

I have an ASA 5505. One of the interfaces has IP 10.3.0.1. Behind that is a server with IP 10.3.0.2.


The outside interface of the ASA has IP 10.0.0.1, to which 2 branchoffices are connected.(Two other ASA 5505's with IP 10.1.0.2 and 10.1.0.3 on outside)

Now I need to NAT 10.3.0.2 to make it appear on the outside as if it has 2 IP addresses, like 10.4.0.1 and 10.4.0.2.

That way both branchoffices have a different IP to connect to, while still arriving at the same server.

How can i accomplish this?

So ASA 10.1.0.2 would connect towards 10.4.0.1 and 10.1.0.3 would connect towards 10.4.0.2.

Both connection would arrive at the server at 10.3.0.1.

How do i accomplish that?

Thanks in advance!

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

StanDamen wrote:

*this is all in a test environment*

I have an ASA 5505. One of the interfaces has IP 10.3.0.1. Behind that is a server with IP 10.3.0.2.


The outside interface of the ASA has IP 10.0.0.1, to which 2 branchoffices are connected.(Two other ASA 5505's with IP 10.1.0.2 and 10.1.0.3 on outside)

Now I need to NAT 10.3.0.2 to make it appear on the outside as if it has 2 IP addresses, like 10.4.0.1 and 10.4.0.2.

That way both branchoffices have a different IP to connect to, while still arriving at the same server.

How can i accomplish this?

So ASA 10.1.0.2 would connect towards 10.4.0.1 and 10.1.0.3 would connect towards 10.4.0.2.

Both connection would arrive at the server at 10.3.0.1.

How do i accomplish that?

Thanks in advance!

Stan

I don't have a firewall to test with so this may not work but try this config -

Branch1 = 192.168.5.0/24

Branch2 = 192.168.6.0/24

access-list B1 permit ip host 10.3.0.2 192.168.5.0 255.255.255.0

access-list B2 permit ip host 10.3.0.2 192.168.6.0 255.255.255.0

static (inside,outside) 10.4.0.1 access-list B1

static (inside,outside) 10.4.0.2 access-list B2

Jon

And if branchoffice A and B both use range 192.168.5.0/24?

Ill try this out anyway to see if i can get it to work, but i dont think it will with same ranges for branch office.

Stam,

If Barnch A and B have the same range you will have some challenges

on how to route them on the WAN to make it work.

Krisztian

Yes i realise that, which is why i need to change one IP into many so i can route all those IP's outside. 1 to each branch office.

Stan

Hi,

Actually the apps IP behind the FW can be a single IP for both branches since the routing is done (normally) on destiantion basis. The thing is from the FW to the branch the WAN router needs to know where to find the branch.

So for branches you need different subnets for application you can use the same IP (or different if you like).

Otherwise what Jon wrote is correct. I'm using a similar setup with ploicy NAT and it works fine. You can narrow the ports in the NAT statement to translate only the specific application port. With that you can further improve security.

Hope it helps, rate if does

Krisztian

2 different IP's with the same policy is ambiguous when sourcing from the inside.  Don’t think it will work without giving you a headache.

@droeun141: Its not the headache has already arrived

@krisztian: The problem is probably best explained with example like this.

IP 192.168.0.1 from BranchOffice1 connects to the server 10.10.10.10 behind the FW.

192.168.0.1 exists in both branchoffice 1 and 2.

10.10.10.10 wants to reply to 192.168.0.1 from BO1. the FW however does not know which 192.168.0.1 to choose.

If 10.10.10.10 would be 10.20.20.1 for BO1, and 10.20.20.2 for BO2, FW would know the route back.

But that last bit i cant accomplish for some reason

Translate the overlapping addresses (192.168.0.1) at one of the branches.  That way when it leaves it will be seen as something different.

Hi,

As I told you the routing is done on destination basis. So even if the packet received with different destination IP on the FW but with the same source the FW will route back the packet to the source based on the same routing information.

So once the FW replies to 192.168.0.1 it will always send the packet to the same next-hop no matter on which IP the packet was received.

That's why your two branch should have different range.

So it is better to renumber one of the BOs or use NAT at one of the BOs.

Hope it clarifies, rate if does

Krisztian

StanDamen
Level 1
Level 1

The solution to this turned out to be tricky but i figured it out.

What it was:

You have:

Server = 10.3.0.1

Client1 at BO1 = 192.168.0.1

Client2 at BO2 = 192.168.0.1

What you do is at the firewall make 2 static NAT policies.

192.168.0.1 from BO1 gets changed into 10.4.0.1 when destination is 10.3.0.1

10.3.0.1 gets changed into 10.5.0.1 if destination is 10.4.0.1

192.168.0.1 from BO2 gets changed into 10.4.0.2 when destination is 10.3.0.1

10.3.0.1 gets changed into 10.5.0.2 if destination is 10.4.0.2

10.5.0.1 and 10.5.0.2 are then added to ACL's linked to the specific branch office, and voila it works!

Thanks for thinking with me though!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco