Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to hide networks on my LAN behind different public IP addresses

Posted on 2010-09-16
10
841 Views
Last Modified: 2012-08-14
I have an ASA5520 with my LAN behind it which is broken in to on routing VLAN and then a VLAN per client. A client network might be 192.168.10.0/24 with another being 192.168.11.0/24 currently all of the traffic is NAT behind the firewalls IP address of x.x.x.33. However I have a public IP address for each of my clients. I want each network to NAT behind its own public IP address however I do not want to NAT the VLAN itself. I would rather have the translation happen on the firewall, this is for LAN traffic monitoring purposes.

I did create an IP name for the public IP address and an IP name for the network 192.168.10.0 but when I create the NAT rule it errors.

How do I configure this in the firewall?
0
Comment
Question by:btec_bob
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 33693903
I think what you are trying to do is a 1 to 1 NAT. See if that is an option.

How many machines and how many public IPs?
0
 

Author Comment

by:btec_bob
ID: 33694051
1 to 1 NAT will only handle a single host?

I have 30 Public IP addresses and 28 client networks. Each of those networks have upwards of 5 hosts. I want all of the hosts within one client network to NAT behind one Public IP address. I then want the next clients hosts to NAT behind a different Public IP address.

The reason is that when one of the clients gets infected with a spyware/malware or spambot then all of the clients take the hit since it is the one IP address that appears on the blacklist. If I can give each client a public IP address for their network then only the offenders get blacklisted. I have already done this with some clients by installing their networks behind a firewall which in turn NAT's their network. Then I apply a static 1 to 1 NAT from the public to the WAN interface of their firewall. However I loose visibility of the individual hosts in their network which I want for management purposes. This option also has the negative of requireing yet another firewall/router

I realise I could NAT the VLAN on the switch and then do a 1 to 1 NAT between the public IP address and the NAT VLAN IP but I am trying to avoid NATing the VLAN on the switch.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33694448
ip nat (inside) 1 192.168.11.0 255.255.255.0
ip nat (inside) 2 192.168.12.0 255.255.255.0
ip nat (inside) 3 192.168.13.0 255.255.255.0
ip nat (inside) 4 192.168.14.0 255.255.255.0

global (outside) 1 123.123.123.1
global (outside) 2 123.123.123.2
global (outside) 3 123.123.123.3
global (outside) 4 123.123.123.4

Is this what you want to ackomplish?

/Kvistofta


0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:btec_bob
ID: 33694564
Yes, are there any potential issues with this as it is a live system I am making the change too?
0
 

Author Comment

by:btec_bob
ID: 33694691
I tried to set these up as static NAT in the ASDM interface and it refused as it was not a 1 to 1 NAT.

Real Address
Interface - Inside
IP Address - 192.168.11.0
netmask - 255.255.255.0

Static Translation
Interface - Outside
IP Address - 123.123.123.1

Click OKAY

Error window pops up ...
The IP Address 123.123.123.1 does not match with Netmask 255.255.255.0
-To Specify a network use 123.123.123.0/255.255.255.0
-To specify a host use 123.123.123.1/255.255.255.0

This suggests I can NAT a network to a network or a host to a host but not a public host to a private network?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694839
If the internal networks already have internet access I guess that they are all part of a wider nat pool (nat (inside) 1 0 0) and you dont need to remove that. If you just add new nat pools (add the "global"s before the "nat"s) they will override the wider nat pool and I dont think that you will interrupt anything.

If changes doesnt do instantly you might need to do "clear xlat" to reset all translations. Beware that that will kill sessions. A web browser doesnt care but a terminal session (telnet, ssh) will die and needs to be re-opened by the user.

/Kvistofta
0
 

Author Comment

by:btec_bob
ID: 33694859
The translation worked perfectly. Just one last question and I am sure many Cisco engineers will shudder when I ask but where will this be visible in the ASDM GUI?
0
 

Author Comment

by:btec_bob
ID: 33694894
Never mind I found it, it is in the NAT screen on the NAT table as a dynamic NAT. Sorry for asking the offensive question abouot the GUI.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694897
It surely will! It will be in the NAT-part of the GUI but I cant tell you how it looks like since I never use ASDM. But it is all configurable there. If you have added a few nat pools like I described above You will find them somewhere in ASDM and you can easily duplicate them from ASDM if that suits you better.

Dont feel ashamed for using ASDM. It is good! It is just easier for someone like me that knows command line to tell you a few lines of configuration, than describing how to navigate in the gui to do corresponding changes.

/Kvistofta
0
 

Author Closing Comment

by:btec_bob
ID: 33694901
Excellent, concise and acurate
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question