Solved

How to hide networks on my LAN behind different public IP addresses

Posted on 2010-09-16
10
825 Views
Last Modified: 2012-08-14
I have an ASA5520 with my LAN behind it which is broken in to on routing VLAN and then a VLAN per client. A client network might be 192.168.10.0/24 with another being 192.168.11.0/24 currently all of the traffic is NAT behind the firewalls IP address of x.x.x.33. However I have a public IP address for each of my clients. I want each network to NAT behind its own public IP address however I do not want to NAT the VLAN itself. I would rather have the translation happen on the firewall, this is for LAN traffic monitoring purposes.

I did create an IP name for the public IP address and an IP name for the network 192.168.10.0 but when I create the NAT rule it errors.

How do I configure this in the firewall?
0
Comment
Question by:btec_bob
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 33693903
I think what you are trying to do is a 1 to 1 NAT. See if that is an option.

How many machines and how many public IPs?
0
 

Author Comment

by:btec_bob
ID: 33694051
1 to 1 NAT will only handle a single host?

I have 30 Public IP addresses and 28 client networks. Each of those networks have upwards of 5 hosts. I want all of the hosts within one client network to NAT behind one Public IP address. I then want the next clients hosts to NAT behind a different Public IP address.

The reason is that when one of the clients gets infected with a spyware/malware or spambot then all of the clients take the hit since it is the one IP address that appears on the blacklist. If I can give each client a public IP address for their network then only the offenders get blacklisted. I have already done this with some clients by installing their networks behind a firewall which in turn NAT's their network. Then I apply a static 1 to 1 NAT from the public to the WAN interface of their firewall. However I loose visibility of the individual hosts in their network which I want for management purposes. This option also has the negative of requireing yet another firewall/router

I realise I could NAT the VLAN on the switch and then do a 1 to 1 NAT between the public IP address and the NAT VLAN IP but I am trying to avoid NATing the VLAN on the switch.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33694448
ip nat (inside) 1 192.168.11.0 255.255.255.0
ip nat (inside) 2 192.168.12.0 255.255.255.0
ip nat (inside) 3 192.168.13.0 255.255.255.0
ip nat (inside) 4 192.168.14.0 255.255.255.0

global (outside) 1 123.123.123.1
global (outside) 2 123.123.123.2
global (outside) 3 123.123.123.3
global (outside) 4 123.123.123.4

Is this what you want to ackomplish?

/Kvistofta


0
 

Author Comment

by:btec_bob
ID: 33694564
Yes, are there any potential issues with this as it is a live system I am making the change too?
0
 

Author Comment

by:btec_bob
ID: 33694691
I tried to set these up as static NAT in the ASDM interface and it refused as it was not a 1 to 1 NAT.

Real Address
Interface - Inside
IP Address - 192.168.11.0
netmask - 255.255.255.0

Static Translation
Interface - Outside
IP Address - 123.123.123.1

Click OKAY

Error window pops up ...
The IP Address 123.123.123.1 does not match with Netmask 255.255.255.0
-To Specify a network use 123.123.123.0/255.255.255.0
-To specify a host use 123.123.123.1/255.255.255.0

This suggests I can NAT a network to a network or a host to a host but not a public host to a private network?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694839
If the internal networks already have internet access I guess that they are all part of a wider nat pool (nat (inside) 1 0 0) and you dont need to remove that. If you just add new nat pools (add the "global"s before the "nat"s) they will override the wider nat pool and I dont think that you will interrupt anything.

If changes doesnt do instantly you might need to do "clear xlat" to reset all translations. Beware that that will kill sessions. A web browser doesnt care but a terminal session (telnet, ssh) will die and needs to be re-opened by the user.

/Kvistofta
0
 

Author Comment

by:btec_bob
ID: 33694859
The translation worked perfectly. Just one last question and I am sure many Cisco engineers will shudder when I ask but where will this be visible in the ASDM GUI?
0
 

Author Comment

by:btec_bob
ID: 33694894
Never mind I found it, it is in the NAT screen on the NAT table as a dynamic NAT. Sorry for asking the offensive question abouot the GUI.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694897
It surely will! It will be in the NAT-part of the GUI but I cant tell you how it looks like since I never use ASDM. But it is all configurable there. If you have added a few nat pools like I described above You will find them somewhere in ASDM and you can easily duplicate them from ASDM if that suits you better.

Dont feel ashamed for using ASDM. It is good! It is just easier for someone like me that knows command line to tell you a few lines of configuration, than describing how to navigate in the gui to do corresponding changes.

/Kvistofta
0
 

Author Closing Comment

by:btec_bob
ID: 33694901
Excellent, concise and acurate
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Questions on windows ports 13 75
Sonicwall SSO 11 52
Sonicwall - user objects - usage 2 35
Sonicwall routing between VPNs 5 45
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now