?
Solved

How to hide networks on my LAN behind different public IP addresses

Posted on 2010-09-16
10
Medium Priority
?
860 Views
Last Modified: 2012-08-14
I have an ASA5520 with my LAN behind it which is broken in to on routing VLAN and then a VLAN per client. A client network might be 192.168.10.0/24 with another being 192.168.11.0/24 currently all of the traffic is NAT behind the firewalls IP address of x.x.x.33. However I have a public IP address for each of my clients. I want each network to NAT behind its own public IP address however I do not want to NAT the VLAN itself. I would rather have the translation happen on the firewall, this is for LAN traffic monitoring purposes.

I did create an IP name for the public IP address and an IP name for the network 192.168.10.0 but when I create the NAT rule it errors.

How do I configure this in the firewall?
0
Comment
Question by:btec_bob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 33693903
I think what you are trying to do is a 1 to 1 NAT. See if that is an option.

How many machines and how many public IPs?
0
 

Author Comment

by:btec_bob
ID: 33694051
1 to 1 NAT will only handle a single host?

I have 30 Public IP addresses and 28 client networks. Each of those networks have upwards of 5 hosts. I want all of the hosts within one client network to NAT behind one Public IP address. I then want the next clients hosts to NAT behind a different Public IP address.

The reason is that when one of the clients gets infected with a spyware/malware or spambot then all of the clients take the hit since it is the one IP address that appears on the blacklist. If I can give each client a public IP address for their network then only the offenders get blacklisted. I have already done this with some clients by installing their networks behind a firewall which in turn NAT's their network. Then I apply a static 1 to 1 NAT from the public to the WAN interface of their firewall. However I loose visibility of the individual hosts in their network which I want for management purposes. This option also has the negative of requireing yet another firewall/router

I realise I could NAT the VLAN on the switch and then do a 1 to 1 NAT between the public IP address and the NAT VLAN IP but I am trying to avoid NATing the VLAN on the switch.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 2000 total points
ID: 33694448
ip nat (inside) 1 192.168.11.0 255.255.255.0
ip nat (inside) 2 192.168.12.0 255.255.255.0
ip nat (inside) 3 192.168.13.0 255.255.255.0
ip nat (inside) 4 192.168.14.0 255.255.255.0

global (outside) 1 123.123.123.1
global (outside) 2 123.123.123.2
global (outside) 3 123.123.123.3
global (outside) 4 123.123.123.4

Is this what you want to ackomplish?

/Kvistofta


0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:btec_bob
ID: 33694564
Yes, are there any potential issues with this as it is a live system I am making the change too?
0
 

Author Comment

by:btec_bob
ID: 33694691
I tried to set these up as static NAT in the ASDM interface and it refused as it was not a 1 to 1 NAT.

Real Address
Interface - Inside
IP Address - 192.168.11.0
netmask - 255.255.255.0

Static Translation
Interface - Outside
IP Address - 123.123.123.1

Click OKAY

Error window pops up ...
The IP Address 123.123.123.1 does not match with Netmask 255.255.255.0
-To Specify a network use 123.123.123.0/255.255.255.0
-To specify a host use 123.123.123.1/255.255.255.0

This suggests I can NAT a network to a network or a host to a host but not a public host to a private network?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694839
If the internal networks already have internet access I guess that they are all part of a wider nat pool (nat (inside) 1 0 0) and you dont need to remove that. If you just add new nat pools (add the "global"s before the "nat"s) they will override the wider nat pool and I dont think that you will interrupt anything.

If changes doesnt do instantly you might need to do "clear xlat" to reset all translations. Beware that that will kill sessions. A web browser doesnt care but a terminal session (telnet, ssh) will die and needs to be re-opened by the user.

/Kvistofta
0
 

Author Comment

by:btec_bob
ID: 33694859
The translation worked perfectly. Just one last question and I am sure many Cisco engineers will shudder when I ask but where will this be visible in the ASDM GUI?
0
 

Author Comment

by:btec_bob
ID: 33694894
Never mind I found it, it is in the NAT screen on the NAT table as a dynamic NAT. Sorry for asking the offensive question abouot the GUI.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694897
It surely will! It will be in the NAT-part of the GUI but I cant tell you how it looks like since I never use ASDM. But it is all configurable there. If you have added a few nat pools like I described above You will find them somewhere in ASDM and you can easily duplicate them from ASDM if that suits you better.

Dont feel ashamed for using ASDM. It is good! It is just easier for someone like me that knows command line to tell you a few lines of configuration, than describing how to navigate in the gui to do corresponding changes.

/Kvistofta
0
 

Author Closing Comment

by:btec_bob
ID: 33694901
Excellent, concise and acurate
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question