topic Re: Object based NAT - Natting two public IP to one private IP in Network Security

Object based NAT - Natting two public IP to one private IP

raghavendrasomiyani — Fri, 21 Feb 2020 15:29:21 GMT

Hello Experts,

I need your help with a configuration bit for Object based NAT - Natting two public IP to one private IP.

I am asked to nat two public IP to one private IP 8.xxx.xx.90 and 8.xxx.xx.92 to nat to 10.53.19.8. 8.xxx.xx.92 nats to 10.53.19.8 (Already in place)

Below is the configuration we currently have 8.xxx.xx.90 nats to 10.53.12.14 and 8.xxx.xx.92 nats to 10.53.19.8.

Need configuration bits to achieve 8.xxx.xx.90 and 8.xxx.xx.92 to nat to 10.53.19.8

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.14

object network SIP3
host 10.53.19.8

Regards,

Raghav.

Re: Object based NAT - Natting two public IP to one private IP

V S Narayana Chivukula — Thu, 08 Mar 2018 05:14:49 GMT

Hi Raghav,

Translating multiple mapped IP to one real IP address is not possible in static NAT.

If the real IP address is running multiple services then you may use static PAT to translate one service of the real IP to each mapped IP.

But in static NAT you cannot map multiple mapped IPs to 1 real IP.

Thanks,

Narayana Rao.

Re: Object based NAT - Natting two public IP to one private IP

raghavendrasomiyani — Thu, 08 Mar 2018 18:29:04 GMT

Hi Narayana,

Thanks for your response.

So what is the best method to have 2 public IP's nat to one Private address. I am not restricted to object based nat only, I am looking/open for other options as well.

Key is to make it work.

Regards,
Raghav.

Re: Object based NAT - Natting two public IP to one private IP

Florin Barhala — Fri, 09 Mar 2018 09:41:39 GMT

Just do service based nat, instead of 1:1 nat aka Static NAT.

It doesn't matter if it's a rule nat or an object NAT, Static NAT doesn't work on your scenario requirements.

Re: Object based NAT - Natting two public IP to one private IP

raghavendrasomiyani — Mon, 12 Mar 2018 01:32:14 GMT

I created a new object SIP 4 with same private host IP of SIP3 (SIP3 and SIP4 has same private IP), but natting each of them independently (SIP3 to 8.xxx.xx.92) and (SIP4 to 8.xxx.xx.90). Let me know if below should work or will run into any (what) problems.
object network SIP3
host 10.53.19.8
exit
object network SIP4
host 10.53.19.8
exit
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92
exit
object network SIP4
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
exit

Regards,
Raghav

Re: Object based NAT - Natting two public IP to one private IP

Florin Barhala — Mon, 12 Mar 2018 15:22:45 GMT

It will work partially at best, but not as intended.

Simplest solution for you, add a secondary IP on that 10.53.19.8 server keep this config

object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92
exit

then map 8.xxx.xx.90 to the secondary local IP

Re: Object based NAT - Natting two public IP to one private IP

Ajay Saini — Tue, 13 Mar 2018 04:32:10 GMT

Hello,

From the description, you need to NAT 2 public ip addresses to point to a single real ip address for inbound access, correct?

Then I see you have a mapping for 2 inside servers

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.14

object network SIP3
host 10.53.19.8

Do you wish to remove the NAT for 10.53.12.14 and point both public ip addresses to 10.53.12.8?

If yes, this should be possible, but there are some catches. If you confirm my understanding above, I can suggest few steps.

Mulitple public ip address can be very well mapped to a single real server ip address and its a valid design.

HTH
AJ

Re: Object based NAT - Natting two public IP to one private IP

Octavian Szolga — Tue, 13 Mar 2018 12:01:52 GMT

Hi,

It is possible to do a static NAT for a real IP with multiple NAT IPs.

It's called one to many static NAT.

For example, if the real IP would be 10.10.10.10 and your 'public' IPs would be 5.5.5.5 and 5.5.5.7, you would have to configure something like:

object-group network MY_PUBLIC_IPs
network-object host 5.5.5.5
network-object host 5.5.5.7

object network HOST_10.10.10.10
host 10.10.10.10

nat (inside,outside) source static HOST_10.10.10.10 MY_PUBLIC_IPs

Take into account what whenver the real host connects to the outside world (outbound session) it would always use the first IP configured inside the NAT object (5.5.5.5).

Still, anyone from the outside (inbound) can connect to the real host using any NAT IP (both 5.5.5.5 and 5.5.5.7).

Thanks,

Octavian

Re: Object based NAT - Natting two public IP to one private IP

raghavendrasomiyani — Wed, 14 Mar 2018 15:47:47 GMT

Hi Ajay,

Sorry, I got caught up with priority issues and couldn't keep a check here.

Yes, your understanding is correct.

We wish to remove the NAT for 10.53.12.14 (this will get decom) and point both public ip addresses (8.xxx.xx.90 and 8.xxx.xx.92) to 10.53.12.8.

Regards,
Raghav.

Re: Object based NAT - Natting two public IP to one private IP

Ajay Saini — Thu, 15 Mar 2018 04:49:37 GMT

Hello,

This should be feasible, all we have to do is to create 2 NAT statements. Inbound, both public ip address will work, but for inbound, the first in order will work when the server will initiate traffic towards internet.

With object NAT, your config should look like:

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.8

object network SIP3
host 10.53.19.8

HTH