One of my applications makes connections to a webserver, and because of the amount of data transmitted, if too many consecutive requests are sent, we are looked at as a DOS attack. What I am wondering is if there is a way to have a single IP address on my internal network bound to a NAT pool so that communication to the outside uses a different IP address each time a connection is made. Essentially I want the XLATE table to be cleared and a new IP address used for subsequent communication. Think of it as a round robin approach.
Any ideas on how I might do something like this or any suggestions on what I can do.
I tested this out of interest yesterday and today with both Manual NAT and Auto NAT and it doesnt seem to work for a single source host. (Was running 8.4(5))
I have a couple of actual /29 public address blocks at home and made a PAT Pool of them for one of my computers.
The single host kept using the first address in the pool for all the PAT translations.
In todays test it seems if I include the whole LAN subnet and use multiple source addresses for connections then first source address uses first PAT address and second source address uses second PAT address.
So I am not all that sure the single host will benefit from this configuration as it seems it would have to exhaust all the ports again on the single PAT address before perhaps moving to next one. Atleast it seemed like that and I cant say that with 100% certainty.
It didnt work with a single source address with either Manual NAT or Auto NAT configurations format if I was to believe the "packet-tracer" output.
Also as I have said I tried it with actual public IP addresses as the PAT Pool and browsed Internet for a while with my own computer. My computer only used the first PAT IP address from the "object" I defined, nothing else.
Later tests with "packet-tracer" seemed to indicate that if I configured an actual subnet as the source and used multiple different source addresses then each source address would get PATed to different public IP address in order.
Even if it was the case that this method didnt work I imagine I could define a NAT rule that would do this for a single host. The only problem really is that it wouldnt be a typical/clean configuration but I imagine it would be possible if you wanted such a configuration. I would still have to test that.
I guess this yet another special NAT configuration I should add to my NAT document
If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.
Note: This "stickiness" does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.
You could maybe change your NAT based on the source port of the connection.
To do that you need to actually be able to control the source port used to establish the connection (might be tough to accomplish)...
You can have a different NAT entry per source port or for a range of source ports... should be tested to make sure it works. Apparently Source Dynamic PAT (hide) does not support port translation so you have to use static:
asa(config)# sh run object in-line
object network IN1 host 10.10.10.10
object network OUT1 host 22.214.171.124
object network OUT2 host 126.96.36.199
object service SP1 service tcp source range 1024 1048
object service SP2 service tcp source eq 5002
nat (inside,outside) source static IN1 OUT1 service SP1 SP1
nat (inside,outside) source static IN1 OUT2 service SP2 SP2
asa(config)# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static IN1 OUT1 service SP1 SP1
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...