Solved

How to hide networks on my LAN behind different public IP addresses

Posted on 2010-09-16
10
834 Views
Last Modified: 2012-08-14
I have an ASA5520 with my LAN behind it which is broken in to on routing VLAN and then a VLAN per client. A client network might be 192.168.10.0/24 with another being 192.168.11.0/24 currently all of the traffic is NAT behind the firewalls IP address of x.x.x.33. However I have a public IP address for each of my clients. I want each network to NAT behind its own public IP address however I do not want to NAT the VLAN itself. I would rather have the translation happen on the firewall, this is for LAN traffic monitoring purposes.

I did create an IP name for the public IP address and an IP name for the network 192.168.10.0 but when I create the NAT rule it errors.

How do I configure this in the firewall?
0
Comment
Question by:btec_bob
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 33693903
I think what you are trying to do is a 1 to 1 NAT. See if that is an option.

How many machines and how many public IPs?
0
 

Author Comment

by:btec_bob
ID: 33694051
1 to 1 NAT will only handle a single host?

I have 30 Public IP addresses and 28 client networks. Each of those networks have upwards of 5 hosts. I want all of the hosts within one client network to NAT behind one Public IP address. I then want the next clients hosts to NAT behind a different Public IP address.

The reason is that when one of the clients gets infected with a spyware/malware or spambot then all of the clients take the hit since it is the one IP address that appears on the blacklist. If I can give each client a public IP address for their network then only the offenders get blacklisted. I have already done this with some clients by installing their networks behind a firewall which in turn NAT's their network. Then I apply a static 1 to 1 NAT from the public to the WAN interface of their firewall. However I loose visibility of the individual hosts in their network which I want for management purposes. This option also has the negative of requireing yet another firewall/router

I realise I could NAT the VLAN on the switch and then do a 1 to 1 NAT between the public IP address and the NAT VLAN IP but I am trying to avoid NATing the VLAN on the switch.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33694448
ip nat (inside) 1 192.168.11.0 255.255.255.0
ip nat (inside) 2 192.168.12.0 255.255.255.0
ip nat (inside) 3 192.168.13.0 255.255.255.0
ip nat (inside) 4 192.168.14.0 255.255.255.0

global (outside) 1 123.123.123.1
global (outside) 2 123.123.123.2
global (outside) 3 123.123.123.3
global (outside) 4 123.123.123.4

Is this what you want to ackomplish?

/Kvistofta


0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:btec_bob
ID: 33694564
Yes, are there any potential issues with this as it is a live system I am making the change too?
0
 

Author Comment

by:btec_bob
ID: 33694691
I tried to set these up as static NAT in the ASDM interface and it refused as it was not a 1 to 1 NAT.

Real Address
Interface - Inside
IP Address - 192.168.11.0
netmask - 255.255.255.0

Static Translation
Interface - Outside
IP Address - 123.123.123.1

Click OKAY

Error window pops up ...
The IP Address 123.123.123.1 does not match with Netmask 255.255.255.0
-To Specify a network use 123.123.123.0/255.255.255.0
-To specify a host use 123.123.123.1/255.255.255.0

This suggests I can NAT a network to a network or a host to a host but not a public host to a private network?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694839
If the internal networks already have internet access I guess that they are all part of a wider nat pool (nat (inside) 1 0 0) and you dont need to remove that. If you just add new nat pools (add the "global"s before the "nat"s) they will override the wider nat pool and I dont think that you will interrupt anything.

If changes doesnt do instantly you might need to do "clear xlat" to reset all translations. Beware that that will kill sessions. A web browser doesnt care but a terminal session (telnet, ssh) will die and needs to be re-opened by the user.

/Kvistofta
0
 

Author Comment

by:btec_bob
ID: 33694859
The translation worked perfectly. Just one last question and I am sure many Cisco engineers will shudder when I ask but where will this be visible in the ASDM GUI?
0
 

Author Comment

by:btec_bob
ID: 33694894
Never mind I found it, it is in the NAT screen on the NAT table as a dynamic NAT. Sorry for asking the offensive question abouot the GUI.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33694897
It surely will! It will be in the NAT-part of the GUI but I cant tell you how it looks like since I never use ASDM. But it is all configurable there. If you have added a few nat pools like I described above You will find them somewhere in ASDM and you can easily duplicate them from ASDM if that suits you better.

Dont feel ashamed for using ASDM. It is good! It is just easier for someone like me that knows command line to tell you a few lines of configuration, than describing how to navigate in the gui to do corresponding changes.

/Kvistofta
0
 

Author Closing Comment

by:btec_bob
ID: 33694901
Excellent, concise and acurate
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question