NAT For Multiple Devices
Hi everyone. I have a series of devices on an old IP range which I need to communicate with our new network range. These are connected through a Cisco ASA 5516 firewall. The devices will eventually be moved to the new range, but they can't as of yet. So I have been asked if I can set up a nat for this range of devices. So two questions:
Does it make sense to use a nat, or is there a better way?
Is there a way to set this up as a range? The IP addresses are a continuous block. Otherwise do I have to make an individual Nat rule for each device?
Does it make sense to use a nat, or is there a better way?
Is there a way to set this up as a range? The IP addresses are a continuous block. Otherwise do I have to make an individual Nat rule for each device?
Soulja
Are you trying to access them from the internet? Meaning you want to access them through a public ip address? Is the new and old network behind the same firewall or are at different sites? With the limited information I am leaning towards a vpn solution. Ipsec most likely.
I'm not familiar with Cisco but with the SonicWALL edge devices we use we can set up a dedicated port as gateway for one subnet while the LAN dedicated port gets set up on the production subnet.
So, have all of Subnet 2 devices plugged into a set of switches and then run a cable into a dedicated port on the Cisco. Then, set up the necessary routing rules between the two subnets. Done.
So, have all of Subnet 2 devices plugged into a set of switches and then run a cable into a dedicated port on the Cisco. Then, set up the necessary routing rules between the two subnets. Done.
Taking this down to basics, you conceptually need a router that's NOT using NAT.
It connects between the two subnets and becomes, for each subnet, the gateway (so to speak) for the OTHER subnet.
So, given that you have an internet gateway on each subnet then it would have a route for the other subnet pointing to that router.
Given a rather normal commodity router, it would connect WAN side to one subnet and LAN side to the other subnet.
Like this:
Internet
NAT
Internet Gateway 1 routes to Subnet 2 at IP address of "A".
LAN Subnet 1
"A" Inter-Subnet Router (No NAT) on LAN Subnet 1
***** [the router has ports "A" and "B" with subnet IP addresses respectively]
"B" Inter-Subnet Router (No NAT) on LAN Subnet 2
LAN Subnet 2
Internet Gateway 2 routes to Subnet 1 at IP address of "B".
NAT
Internet
So, this is a *very* simple implementation and assumes two internet connections.
If you have other equipment that will embody this implementation (such as the Cisco or SonicWALL) then it becomes a fairly simple inter-subnet routing matter. AND this type of implementation may require that each subnet be served by NAT in order to connect to the internet. You suggested that kind of arrangement but didn't really say.
It connects between the two subnets and becomes, for each subnet, the gateway (so to speak) for the OTHER subnet.
So, given that you have an internet gateway on each subnet then it would have a route for the other subnet pointing to that router.
Given a rather normal commodity router, it would connect WAN side to one subnet and LAN side to the other subnet.
Like this:
Internet
NAT
Internet Gateway 1 routes to Subnet 2 at IP address of "A".
LAN Subnet 1
"A" Inter-Subnet Router (No NAT) on LAN Subnet 1
***** [the router has ports "A" and "B" with subnet IP addresses respectively]
"B" Inter-Subnet Router (No NAT) on LAN Subnet 2
LAN Subnet 2
Internet Gateway 2 routes to Subnet 1 at IP address of "B".
NAT
Internet
So, this is a *very* simple implementation and assumes two internet connections.
If you have other equipment that will embody this implementation (such as the Cisco or SonicWALL) then it becomes a fairly simple inter-subnet routing matter. AND this type of implementation may require that each subnet be served by NAT in order to connect to the internet. You suggested that kind of arrangement but didn't really say.
ASKER
Sorry for missing information. This is two internal network. When devices on the old network go looking for certain IPs on the old network, I need devices on the new network to answer. And the reverse when devices on the new network go looking for certain IPs I need the devices on the old network to respond.
Flip the old device ports onto a VLAN at the switch level then pipe that to the router and set up a gateway for that subnet and VLAN.
Same rules apply.
Same rules apply.
ASKER
I'm not sure that will work either. There are two separate networks with two separate IP ranges.
So if 192.168.10.10 tries to connect to 192.168.10.11, I need that traffic to go to 10.1.10.51
I have no control over the switch that the 192.x devices are connected to other than it is connected to a port on my firewall.
So if 192.168.10.10 tries to connect to 192.168.10.11, I need that traffic to go to 10.1.10.51
I have no control over the switch that the 192.x devices are connected to other than it is connected to a port on my firewall.
What I described would look like this - EVEN THOUGH this doesn't make use of the Cisco exactly. I still don't know how you get internet service for EACH network.
if 192.168.10.10 tries to connect to 192.168.10.11, the packets will go straight on the wire from .10 to .11. I see no way to involve routing or 10.1.10.51. Is there a typo here perhaps?
I am going to assume 192.168.10.0/24 and 10.10.51.0/24 are the two subnets. I hope this doesn't end up being confusing:
I'm going to assume that 192.168.10.0/24 is the OLD network and 10.10.51.0/24 is the NEW network.
I'm going to assume that the ASA 5516 is ONLY associated with the NEW network (as it's not clear above).
So, the question is:
How to connect the devices on 192.168.10.0/24 to the new devices on 10.10.51.0/24, right?
And, I should think, how to get internet service.
But, for now, I'm going to assume that each network has its own separate internet service / gateway.
And, the ASA 5516 is the internet gateway for the new network 10.10.51.0/24.
So please either say "OK" or correct this description.
Now, this is a simple-minded approach that will work:
Get a simple router like an RV320.
Set the WAN address of the RV320 to something like 10.10.51.253 .... something static and compatible with the DHCP arrangement.
Set the LAN address of the RV320 to something like 192.168.1.253 ... something static and compatible with the DHCP arrangement on THAT side.
Turn off DHCP and set the RV320 in Router and not in Gateway mode.
Add a route to the old gateway:
10.10.51.0/24 to 192.168.1.253 (assuming the choices you make match the ones I made above).
Add a route to the new gateway:
192.168.1.0/24 to 10.10.51.253 (assuming the choices you make match the ones I made above).
With this, packets destined for the opposite subnet will do this:
1) Go to their gateway
2) Be routed to the local port of the inter-LAN router (i.e. RV320) IP address on the local LAN
3) Come out of the inter-LAN router (i.e. RV320) onto the opposite LAN and on to the destination IP address.
(So, when packets come out of the inter-LAN router, they go straight to the destination. But, when there are return packets, they will hop through the local gateway.)
You can very likely do the same sort of thing within the ASA but I think this description is easier to understand. But, it does leave the implementation details up to you unless you do it this way.
So if 192.168.10.10 tries to connect to 192.168.10.11, I need that traffic to go to 10.1.10.51???
if 192.168.10.10 tries to connect to 192.168.10.11, the packets will go straight on the wire from .10 to .11. I see no way to involve routing or 10.1.10.51. Is there a typo here perhaps?
I have a series of devices on an old IP range which I need to communicate with our new network range. These are connected through a Cisco ASA 5516 firewall. The devices will eventually be moved to the new range, but they can't as of yet. So I have been asked if I can set up a nat for this range of devices. So two questions:
Does it make sense to use a nat, or is there a better way?
I am going to assume 192.168.10.0/24 and 10.10.51.0/24 are the two subnets. I hope this doesn't end up being confusing:
I'm going to assume that 192.168.10.0/24 is the OLD network and 10.10.51.0/24 is the NEW network.
I'm going to assume that the ASA 5516 is ONLY associated with the NEW network (as it's not clear above).
So, the question is:
How to connect the devices on 192.168.10.0/24 to the new devices on 10.10.51.0/24, right?
And, I should think, how to get internet service.
But, for now, I'm going to assume that each network has its own separate internet service / gateway.
And, the ASA 5516 is the internet gateway for the new network 10.10.51.0/24.
So please either say "OK" or correct this description.
Now, this is a simple-minded approach that will work:
Get a simple router like an RV320.
Set the WAN address of the RV320 to something like 10.10.51.253 .... something static and compatible with the DHCP arrangement.
Set the LAN address of the RV320 to something like 192.168.1.253 ... something static and compatible with the DHCP arrangement on THAT side.
Turn off DHCP and set the RV320 in Router and not in Gateway mode.
Add a route to the old gateway:
10.10.51.0/24 to 192.168.1.253 (assuming the choices you make match the ones I made above).
Add a route to the new gateway:
192.168.1.0/24 to 10.10.51.253 (assuming the choices you make match the ones I made above).
With this, packets destined for the opposite subnet will do this:
1) Go to their gateway
2) Be routed to the local port of the inter-LAN router (i.e. RV320) IP address on the local LAN
3) Come out of the inter-LAN router (i.e. RV320) onto the opposite LAN and on to the destination IP address.
(So, when packets come out of the inter-LAN router, they go straight to the destination. But, when there are return packets, they will hop through the local gateway.)
You can very likely do the same sort of thing within the ASA but I think this description is easier to understand. But, it does leave the implementation details up to you unless you do it this way.
ASKER
Flip the old device ports onto a VLAN at the switch level then pipe that to the router and set up a gateway for that subnet and VLAN.So I managed to get everyone to realize how complicated this is going to be and it has been decided the old device are going to stay on the old network and don't need to be disguised as being on the new network. So this means we don't need to use NAT any more. I just to set up routing between the two networks.
This of course doesn't work, either. The new network is VLAN 101. The ports for old devices are VLAN 103. Devices on the old vlan can ping each other but not the gateway. I tried setting up static routes, but I get an error. From what I can tell it's because the interfaces themselves have the networks in question assigned to them. So how to make this work this time? Any special rules required?
Based on the assumption that your ASA is the gateway for your vlans and routing for them both:
Do you have subinterfaces configured on the ASA with the associated vlan assigned to the subinterface?
Are you allowing ping to the asa interface. It doesn't allow it by default. There is no need for a static route for the two vlans if the ASA is the gateway for both. These are considered connected routes.
Do you have subinterfaces configured on the ASA with the associated vlan assigned to the subinterface?
Are you allowing ping to the asa interface. It doesn't allow it by default. There is no need for a static route for the two vlans if the ASA is the gateway for both. These are considered connected routes.
ASKER
Okay, I think we are on the right track. Yes the firewall has multiple interfaces, one is plugged into a switch port of VLAN 103 and another into a switch Port of VLAN 101. I realized ping doesn't work by default, but I set up a rule to allow all to the interface and allowed all IP TCP and UDP.
Devices on the same vlan camping each other but ping still doesn t work across the.ports.
Devices on the same vlan camping each other but ping still doesn t work across the.ports.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The gateway was part of the problem as it turns out. The devices already had a different gateway set. So I needed to setthe IP address of the interface to that gateway.