Using NAT to Direct Traffic Destined to Old IP Address to New Addresses

Answered Question
Aug 26th, 2010

Hello,

I have a couple of servers i'm moving to a DMZ.  They currently exist on an inside network behind a pix 535 (6.3(5)) with public addresses that are well known.  They are on a /24 with numerous other hosts that need to keep their existing addresses.  I need to readdress the servers into a new /28 range that is also public but as the old addresses are well known have to maintain the old addresses.

Both the DMZ and Border firewalls are connected to the same Cisco router.  The DMZ firewall a pix 525 running 7.X.

Question;

If I static route the /32 of the old addresses to the external interface of the DMZ firewall on the router then configure a NAT on the DMZ firewall to map the old addresses to the new will outside hosts be able to access the servers in the DMZ using the new addresses?

What I want is:

External hosts connecting to the servers on the legacy addresses to be natted to the new addresses and the responses natted showing the replies coming from the legacy addresses.

External hosts connecting to the servers on the new addresses to connect directly to the servers and the responses to originate from the new addresses.

Yes, this is an ugly hack and I'll have to do some routing and arp voodo on my inside network to minimize black holes but this is what happens when people hard code IP addresses into appliances.

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello KS,

That is the normal policy NAT configuration outlined by Cisco to map

multiple public IP to one single internal IP.

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a00807d2874.shtml

So, in this case, one of the public IP will be the identity address.

Regards,

NT

Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

Based on your explanation, it looks like your setting is as below:

Internet -- RTR ---DMZ---Firewall ---- Server

So, you would like to change the IP of the servers to a new range and you want the firewall to host the old IP addresses and translate those old addresses to new address. I am assuming that you would also like the servers to be accessed with their new addresses. You could use policy NAT for this.

access-list pnat1 permit ip host any access-list pnat2 permit ip host any

static (inside,outside) access-list pnat1 static (inside,outside) access-list pnat2

Make sure that you are using proper access-lists to allow all the traffic.

Hope this helps.

Regards,

NT

Message was edited by: Nagaraja Thanthry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
August Ritchie Thu, 08/26/2010 - 10:07

This doesn't seem too bad, let me create an example scenario and see if it matches.

Say that my inside is 192.168.1.0/24 and my clients need to get to a server that is currently 192.168.1.5, but will be moved to the DMZ and readdressed as 10.0.0.5.

What I would do then is a static to produce a destination NAT change, basically when the packet hits the firewall it will NAT the destination address.

Here is the static I would create

static (DMZ,inside) 192.168.1.5 10.0.0.5 netmask 255.255.255.255

This way whenever a packet hits the firewall destined for 192.168.1.5 it should be routed to the DMZ and be changed so that the new destination address is 10.0.0.5.

The firewall should ARP for this address once the static is created, so hopefully you won't need to configure any static arp entries.

Is this kind of what you were looking for?

andhingr Thu, 08/26/2010 - 10:37

Looks like this can be done with policy nat which can have 2 global addresses pointing to a single local address. So for example if your server has an ip address of 192.168.1.1 which is moving to DMZ interface with new address of 192.168.2.1 so you want users can still reach the other older address and also the new address. Here is the sample config to achieve this

access-list policy_nat_web1 extended permit ip host 192.168.2.1 any
access-list policy_nat_web2 extended permit ip host 192.168.2.1 any

static (dmz,outside) 192.168.1.1  access-list policy_nat_web1
static (
dmz,outside) 192.168.2.1  access-list policy_nat_web2

So when users access 192.168.2.1 it will be sent to the real address 192.168.2.1 and when they access 192.168.1.1 older legacy address, it will be redirected to the new address.
Correct Answer
Nagaraja Thanthry Thu, 08/26/2010 - 11:28

Hello,

Based on your explanation, it looks like your setting is as below:

Internet -- RTR ---DMZ---Firewall ---- Server

So, you would like to change the IP of the servers to a new range and you want the firewall to host the old IP addresses and translate those old addresses to new address. I am assuming that you would also like the servers to be accessed with their new addresses. You could use policy NAT for this.

access-list pnat1 permit ip host any access-list pnat2 permit ip host any

static (inside,outside) access-list pnat1 static (inside,outside) access-list pnat2

Make sure that you are using proper access-lists to allow all the traffic.

Hope this helps.

Regards,

NT

Message was edited by: Nagaraja Thanthry

GrumpyBear Sat, 08/28/2010 - 07:13

Thanks for all the fast responses.

Sorry for the delays in my responding back but I'm actually on vacation up at my parent's summer home (what we, here in Canada, refer to as a "cottage" irrespective of the fact it is a huge chalet with sattelite TV, 3 bathrooms and DSL).  I made the mistake of reporting the telephone line as being noisy to the phone company.  The next day a technician arrived and fixed the noise on the line by swapping pairs between us and the CO.  The only problem appeared to be that the DSL connection was dead which the technician informed might take a couple of days to fix as someone would have to actually play with the DSLAM at the CO.  So the next day I got the DSL back but noticed that long distance dialling no longer worked.  Upon phoning repair I was told that they would fix it on Monday, 4 days later.  Luckily I had the technician's cell phone number from the original visit and he was able to get it working after being on hold for 20 minutes.

THANK GOODNESS FOR FRIENDS IN LOW PLACES

No long distance might not be a problem in most places but the only local calls I han make here are into a town of 1200 people where I know no one so long distance calling is essential.

So with my layer 0 & 1 problems fixed ...

here is some bad ASCII Art:

Before

Internet <-> Router <-> Border Firewall <-> Soft Chewy Inside Networks <-> 172.16.168.1/24 <-> 172.16.168.164

Internet <-> Router <-> DMZ Firewall

After

Internet <-> Router <-> Border Firewall <-> Soft  Chewy Inside Networks <-> 172.16.168.1/24 <-> OtherExisting 172.16.168.0/24 Hosts

Internet  <-> Router <-> DMZ Firewall <-> 172.16.10.1/28 <-> 172.16.10.5

172.16.168.164 - Old IP Address of Server

172.16.10.5      - New IP Address of Server

"Router" has a static route thus: ip route 172.16.168.164 255.255.255.255

NT - you are suggesting:

access-list pnat1 permit ip host 172.16.10.5 any

access-list  pnat2 permit ip host 172.16.10.5 any

static (inside,outside) 172.16.168.164 access-list pnat1

static (inside,outside) 172.16.10.5  access-list pnat2

Correct?

This seems a little counter intuitive to me (which probably means it will work ;-)

I was hoping that I could just NAT from the old IP to the New:

access-list pnat permit ip host 172.16.10.5 any

static (inside,outside) 172.16.168.164 access-list pnat1

and host accessing the new IP directly (172.16.10.5) would be able to connect to it un translated.

andhingr Sat, 08/28/2010 - 14:48

No you will need to create both static policy nat to make this work. With just one the current xlate will point to 172.16.168.164 and traffic coming directly to new IP 172.16.10.5 will get dropped.

Kureli Sankar Sun, 08/29/2010 - 05:26

I doubt if the following will work:

access-list pnat1 permit ip host 172.16.10.5 any

access-list  pnat2 permit ip host 172.16.10.5 any

static (inside,outside) 172.16.168.164 access-list pnat1

static (inside,outside) 172.16.10.5  access-list pnat2

This is the same as below:

static (inside,outside) 172.16.168.164 172.16.10.5

static (inside,outside) 172.16.10.5 172.16.10.5

Which is not allowed.  Same reason with the above policy nat as well.  Which ever line gets in the table first will work and the other may not work.

-KS

Kureli Sankar Mon, 08/30/2010 - 18:35

NT,

Thanks for testing.

Anil,

Thanks for confirming that this trick does work.

I stand corrected.

I guess this policy nat will perfectly solve Grumpybear's (probably grumpier in Canada) problem.

-KS

Actions

This Discussion