[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 868
  • Last Modified:

How to hide networks on my LAN behind different public IP addresses

I have an ASA5520 with my LAN behind it which is broken in to on routing VLAN and then a VLAN per client. A client network might be 192.168.10.0/24 with another being 192.168.11.0/24 currently all of the traffic is NAT behind the firewalls IP address of x.x.x.33. However I have a public IP address for each of my clients. I want each network to NAT behind its own public IP address however I do not want to NAT the VLAN itself. I would rather have the translation happen on the firewall, this is for LAN traffic monitoring purposes.

I did create an IP name for the public IP address and an IP name for the network 192.168.10.0 but when I create the NAT rule it errors.

How do I configure this in the firewall?
0
btec_bob
Asked:
btec_bob
  • 6
  • 3
1 Solution
 
lewisgCommented:
I think what you are trying to do is a 1 to 1 NAT. See if that is an option.

How many machines and how many public IPs?
0
 
btec_bobAuthor Commented:
1 to 1 NAT will only handle a single host?

I have 30 Public IP addresses and 28 client networks. Each of those networks have upwards of 5 hosts. I want all of the hosts within one client network to NAT behind one Public IP address. I then want the next clients hosts to NAT behind a different Public IP address.

The reason is that when one of the clients gets infected with a spyware/malware or spambot then all of the clients take the hit since it is the one IP address that appears on the blacklist. If I can give each client a public IP address for their network then only the offenders get blacklisted. I have already done this with some clients by installing their networks behind a firewall which in turn NAT's their network. Then I apply a static 1 to 1 NAT from the public to the WAN interface of their firewall. However I loose visibility of the individual hosts in their network which I want for management purposes. This option also has the negative of requireing yet another firewall/router

I realise I could NAT the VLAN on the switch and then do a 1 to 1 NAT between the public IP address and the NAT VLAN IP but I am trying to avoid NATing the VLAN on the switch.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ip nat (inside) 1 192.168.11.0 255.255.255.0
ip nat (inside) 2 192.168.12.0 255.255.255.0
ip nat (inside) 3 192.168.13.0 255.255.255.0
ip nat (inside) 4 192.168.14.0 255.255.255.0

global (outside) 1 123.123.123.1
global (outside) 2 123.123.123.2
global (outside) 3 123.123.123.3
global (outside) 4 123.123.123.4

Is this what you want to ackomplish?

/Kvistofta


0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
btec_bobAuthor Commented:
Yes, are there any potential issues with this as it is a live system I am making the change too?
0
 
btec_bobAuthor Commented:
I tried to set these up as static NAT in the ASDM interface and it refused as it was not a 1 to 1 NAT.

Real Address
Interface - Inside
IP Address - 192.168.11.0
netmask - 255.255.255.0

Static Translation
Interface - Outside
IP Address - 123.123.123.1

Click OKAY

Error window pops up ...
The IP Address 123.123.123.1 does not match with Netmask 255.255.255.0
-To Specify a network use 123.123.123.0/255.255.255.0
-To specify a host use 123.123.123.1/255.255.255.0

This suggests I can NAT a network to a network or a host to a host but not a public host to a private network?
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
If the internal networks already have internet access I guess that they are all part of a wider nat pool (nat (inside) 1 0 0) and you dont need to remove that. If you just add new nat pools (add the "global"s before the "nat"s) they will override the wider nat pool and I dont think that you will interrupt anything.

If changes doesnt do instantly you might need to do "clear xlat" to reset all translations. Beware that that will kill sessions. A web browser doesnt care but a terminal session (telnet, ssh) will die and needs to be re-opened by the user.

/Kvistofta
0
 
btec_bobAuthor Commented:
The translation worked perfectly. Just one last question and I am sure many Cisco engineers will shudder when I ask but where will this be visible in the ASDM GUI?
0
 
btec_bobAuthor Commented:
Never mind I found it, it is in the NAT screen on the NAT table as a dynamic NAT. Sorry for asking the offensive question abouot the GUI.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
It surely will! It will be in the NAT-part of the GUI but I cant tell you how it looks like since I never use ASDM. But it is all configurable there. If you have added a few nat pools like I described above You will find them somewhere in ASDM and you can easily duplicate them from ASDM if that suits you better.

Dont feel ashamed for using ASDM. It is good! It is just easier for someone like me that knows command line to tell you a few lines of configuration, than describing how to navigate in the gui to do corresponding changes.

/Kvistofta
0
 
btec_bobAuthor Commented:
Excellent, concise and acurate
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now