topic Re: nat based on outside source in Network Security

nat based on outside source

g_mcco — Mon, 11 Mar 2019 17:00:06 GMT

Hi,

I have the following situation:

server on inside with 192.168.1.1 address

outside nat address x.x.x.1

this is currently working correctly with static nat

we require to have a policy nat where we can nat outside address x.x.x.1 to a second server 192.168.1.2 based on if the source is a specifc host/network

Connections are always initiated from outside (public facing web server for example).

I have been unable to identify a means of achieving this with policy nat, we can successully nat the inside hosts to different outside addresses based on the policy access lists but we are unable to nat an outside address to multiple inside addresses.

any ideas?

Re: nat based on outside source

vilaxmi — Fri, 22 Jan 2010 04:51:42 GMT

Hello,

So you need to MAP one public IP to multiple internal servers depending upon the source (external). You need a policy as follows :

if two different hosts (x.x.x.x and y.y.y.y) on outside world would like to access TWO different servers (192.168.1.1 and 192.168.1.2) on inside using same public IP (160.1.1.2) respectively.

access-list policy extended permit ip host x.x.x.x 192.168.1.1 --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip host y.y.y.y 192.168.1.2 --> y.y.y.y will be able to access server at 192.168.1.2 using 160.1.1.2

static (inside,outside) 160.1.1.2 access-list policy

HTH

Vijaya

Re: nat based on outside source

g_mcco — Fri, 22 Jan 2010 07:04:01 GMT

Hi,

thanks fot he answer, you've understood exactly what I need with just a slight variation:

access-list policy extended permit ip host x.x.x.x 192.168.1.1 --> x.x.x.x will be able to access server at 192.168.1.1 using 160.1.1.2

access-list policy extended permit ip ANY 192.168.1.2 --> ANY OTHER ADDRESS will be able to access server at 192.168.1.2 using 160.1.1.2

I'll test the above later on but from what I gather I won't be able to use ANY as a source address - ie I want only specific addresses to go to 192.168.1.1 and all others to go to 192.168.1.2

do you think this will work?

thanks

Re: nat based on outside source

vilaxmi — Fri, 22 Jan 2010 18:57:29 GMT

Hello,

You can try :

access-list policy extended permit ip host x.x.x.x host 192.168.1.1

access-list policy extended permit ip host y.y.y.y host 192.168.1.1

static (in,out) access-list policy

static (in,out) 192.168.1.2 netmask 255.255.255.255

Now, since the POLICY STATIC has higher preference than normal STATIC, so your specific uers (x.x.x.x and y.y.y.y) will go to internal server

at 192.168.1.1 using

WHILE on the other hand, rest all users will go to internal server at 192.168.1.2 using same

Try this and let me know how it goes..

Vijaya