topic Re: Destination NAT based on source IP? in Network Security

Destination NAT based on source IP?

dan.shalinsky — Mon, 11 Mar 2019 09:55:40 GMT

Is it possible to NAT to 1 of 2 different inside destination IP's based solely on the external source IP address?

There is something similar described but it doesn't work:

access-list WEB permit tcp host 10.1.2.1 209.165.201.11 255.255.255.255 eq 80

access-list TELNET permit tcp host 10.1.3.1 209.165.201.11 255.255.255.255 eq 23

nat (outside) 1 access-list WEB outside

global (inside) 1 209.165.202.129

nat (outside) 2 access-list TELNET outside

global (inside) 2 209.165.202.130

Thanks,

Dan

Re: Destination NAT based on source IP?

David White — Wed, 04 Apr 2007 02:56:03 GMT

Your question isn't totally clear.

The config above is accurate (assuming you know what it is doing). You are missing the translation for the internal host you are attempting to access. (ie: static (inside,outside) 209.165.201.11 ...) However, I can't add much more without more specifics, and things like the version you are running, etc.. as there are a lot of other variables involved.

Sincerely,

David.

Re: Destination NAT based on source IP?

dan.shalinsky — Wed, 04 Apr 2007 13:30:51 GMT

Hi David:

Here's a better description of my scenario:

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.1.1 port 80.

If 10.1.1.2 connects to 172.16.0.1 on port 80, NAT to inside IP 192.168.2.2 port 80.

It makes sense that this requires a corresponding static entry as well.

Thanks,

Dan

Re: Destination NAT based on source IP?

David White — Wed, 04 Apr 2007 13:46:10 GMT

Hi Dan,

Then ok that will work.

Sincerely,

David.

Re: Destination NAT based on source IP?

dan.shalinsky — Wed, 04 Apr 2007 14:02:48 GMT

Hi David:

OK, great. But I'm still confused on the syntax Here's what I have so far:

access-list host1 permit tcp host 10.1.1.1 host 172.16.0.1 eq 80

access-list host2 permit tcp host 10.1.1.2 host 172.16.0.1 eq 80

nat (outside) 1 access-list host1 outside

global (inside) 1 192.168.1.1

nat (outside) 2 access-list host2 outside

global (inside) 2 192.168.2.2

But, I don't think the static command will let you map the same IP twice:

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 80 192.168.2.2 80

Your help is greatly appreciated,

Dan

Re: Destination NAT based on source IP?

David White — Wed, 04 Apr 2007 16:45:05 GMT

Hi Dan,

Think of NATing in 2 parts:

a) Internal device's source IP being NATed when it accesses devices on the outside

b) External device's source IP being NATed when it access devices on the inside

For the config you have been focusing on, that covers (b). Whereby you are policy-nating the source IP of the hosts on the outside (10.1.1.1 and 10.1.1.2) when they attempt to access 172.16.0.1 on the inside. Each outside host will be translated to a different inside IP.

For the case of (a) you just need a single static, as both outside hosts are accessing the same server. (right?) If that server's IP address is not being translated, then the command would just be:

static (inside,outside) 172.16.0.1 172.16.0.1 netmask 255.255.255.255

That statement just tells the PIX to translate the source (172.16.0.1) to itself when it goes from inside -> outside. It also tells external devices that if they connect to destination address 172.16.0.1, then the address would be translated to itself on the inside.

Now, (hopefully this won't complicate things more) if you _additionally_ wanted the two external hosts to go to the same global address, but that global address would be translated to two different internal addresses, then that would also be possible, but a bit more complicated 😉

Sincerely,

David.

PS> Please don't forget to check the solution off if it solves your problem so we can cross it off the list.

Re: Destination NAT based on source IP?

dan.shalinsky — Wed, 04 Apr 2007 17:04:55 GMT

Hi David:

Sorry, I think I still wasn't clear on my scenario. I want to redirect to one of two different inside servers but based on which source IP.

Two outside source IPs: 10.1.1.1 and 10.1.1.2

Both connecting to 172.16.0.1 on port 80

If 10.1.1.1 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.1.1.

If 10.1.1.2 connects to 172.16.0.1 on port 80, redirect to inside server 192.168.2.2.

Sorry for the midunderstanding.

Thanks,

Dan

Re: Destination NAT based on source IP?

abinjola — Wed, 04 Apr 2007 17:41:45 GMT

here we need static port redirection which is only unidirectional , however you CANNOT nat 172.16.0.1 on port 80 to two different servers

though this can be done...

static (inside,outside) tcp 172.16.0.1 80 192.168.1.1 80

static (inside,outside) tcp 172.16.0.1 8080 192.168.2.2 8080

Re: Destination NAT based on source IP?

David White — Thu, 05 Apr 2007 00:22:28 GMT

Hi Dan,

Unfortunately, we don't have a way to achieve that currently.

Sorry,

David.

Re: Destination NAT based on source IP?

David White — Thu, 05 Apr 2007 03:10:42 GMT

Hi Dan,

One final follow-up to this conversation (just for completeness). If you happened to use policy-nat, please note that it does not support using ports in the ACL. The ACL must only contain IPs/networks and no ports.

Sorry for not mentioning that sooner.

Sincerely,

David.