topic Re: Multiple NAT Pool/ Static NAT for diffenet Subnets. in Network Security

Multiple NAT statements for multiple Subnets on PIX

s.nasheet — Mon, 11 Mar 2019 17:54:48 GMT

Hi,

I am trying to configure a PIX to do NATing for the multiple subnets. In my private network I am runnning 172.16.X.X network.

I have many vlans within our network and each vlan is a seperate office which doesn't require to talk to other vlan/office.only internet access is required.

My question is can I configure CIsco PIX to do NATing for each vlan seperately with the multiple NAT statments and overload each vlan traffic to the different public IP adddress.

I have many public IP addresses available for this purpose.

Here is what I am trying to do.

Example

VLAN 10

Subnet range = 172.16.10.0 255.255.255.0

WAN IP = 91.34.54.10

VLAN 11

Subnet range - 172.16.11.0 255.255.255.0

WAN IP = 91.34.54.11

VLAN 12

Subnet range - 172.16.12.0 255.255.255.0

WAN IP = 91.34.54.12

I want PIX to do NAT but use different public IP address based on the source traffic of VLAN/sunbet.

I will create loopback interface on PIX with /32 mask.

e.g

Interface loopback10

ip address 91.34.54.10 255.255.255.255

Interface loopback11

ip address 91.34.54.11 255.255.255.255

Interface loopback12

ip address 91.34.54.12 255.255.255.255

Then NAT statment for each VLAN. ( I am not sure how nat statment looks in PIX but below are just example)

ip nat inside source list 10 interface loopback 10 overload

ip nat inside source list 11 interface loopback 11 overload

ip nat inside source list 12 interface loopback 12 overload

!
Then use access-list to identify each vlan traffic to be translated.

acccess-list 10 permit 172.16.10.0 255.255.255.0

acccess-list 11 permit 172.16.11.0 255.255.255.0

acccess-list 12 permit 172.16.12.0 255.255.255.0

The whole idea is to make sure PIX uses different public ip address for translation based on the vlan.

So whenever users from vlan10 go to internet, they will be translated to 91.34.54.10., and whenever users from vlan11 go to internet they will be translated to 91.34.54.11 and so on.

Is that possible to configure PIX to have multiple NAT statements based on vlan/subnet and overload on unique public ip addresses.

Thanks

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnbets.

Federico Coto Fajardo — Thu, 03 Jun 2010 22:57:29 GMT

Hi,

You cannot create loopbacks on the PIX.

If you have this:

VLAN 10
Subnet range = 172.16.10.0 255.255.255.0
WAN IP = 91.34.54.10

VLAN 11
Subnet range - 172.16.11.0 255.255.255.0
WAN IP = 91.34.54.11

VLAN 12
Subnet range - 172.16.12.0 255.255.255.0
WAN IP = 91.34.54.12

Then you can do the following:

nat (inside) 10 172.16.10.0 255.255.255.0

global (outside) 10 91.34.54.10

nat (inside) 11 172.16.11.0 255.255.255.0

global (outside) 11 91.34.54.11

nat (inside) 12 172.16.12.0 255.255.255.0

global (outside) 12 91.34.54.12

Hope it helps.

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnbets.

s.nasheet — Fri, 04 Jun 2010 10:06:42 GMT

Federico,

Thanks.

Can I also configure PIX to have a pool of public ip addresses ( 2 public IP per pool) and then use the same pool to translate LAN traffic to internet.

Example.

NAT Pool 10 = IP's in pool are 91.34.54.10 And 91.34.54.11 ---------->2 public IP's per pool

NAT Pool 11 = IP's in pool are 91.34.54.12 And 91.34.54.13 ---------->2 public IP's per pool

NAT Pool 12 = IP's in pool are 91.34.54.14 And 91.34.54.15 ---------->2 public IP's per pool

This is just to make sure that each vlan has minimum of 2 public IP addresses to go on internet ,which can be useful if vlan users are running multiple servers.

Do we need to specify the network mask when configure the NAT pool in PIX?

Do I need to confiure routing between switches and PIX to allow all Vlan/ subnet to reach firewall ?

Subnet on LAN are 172.16.10.0/24, 172.16.11.0/24, 172.16.12.0/24 etc , what is the best mask to configure on PIX INSIDE interface /24 or /16 ?

Many thanks for your advise.

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnbets.

Federico Coto Fajardo — Fri, 04 Jun 2010 15:34:23 GMT

Salman,

Yes you can have multiple pools.
If you don't specify the network mask it will assume the default class mask, so if you intend to use a different mask you should specify it.
If the VLANs are not directly connected to the Firewall, then you will need some sort of routing (either static or dynamic routing protocols)
If you have three subnets:
172.16.10.0/24
172.16.11.0/24
172.16.12.0/24
You can summarize them with 172.16.8.0/21 for example, but you need to make sure it won't overlap with anything else on your network.

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Fri, 04 Jun 2010 17:33:38 GMT

Federico.,

Thanks.

Only one Switch ( swtich-01) with be directly connected to firewall while other switches will be inter-connected with each other but not to firewall directly. Does this switch need to have routing enabled ?

If I configure switch-01 as a VTP server and create all vlans & vlan interfaces on that switch, then would I still I need to configure routing between PIX and the switch-01 ?

Do all other switches have to point to switch-01 as default-gateway or they have to point PIX inside interface ?

Regards

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

Federico Coto Fajardo — Fri, 04 Jun 2010 18:03:04 GMT

Salman,

You don't need any routing at all internally, if the switches you're referring are layer 2 switches.

If the switches are layer 3, then you will need routing as if they were actual routers.

Let me know what kind of switches do you have.

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Fri, 04 Jun 2010 18:06:45 GMT

Federico.,

All switches are Cisco 3550 with EMI/ layer 3 image on them.

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

Federico Coto Fajardo — Fri, 04 Jun 2010 18:44:43 GMT

I should have been more specific.

Are the 3550s working as layer 3 or layer 2 switches?

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Fri, 04 Jun 2010 18:47:56 GMT

Federico.,

Thats what need to be decided.

At this time, they not the part of live network , but need to decide weather to use them as a L2 or L3.

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

Federico Coto Fajardo — Fri, 04 Jun 2010 18:57:35 GMT

You need to decide that.

If using the switches as L2, they will all be in the same broadcast domain (unless using VLANs).

There's a need to a L3 device somewhere to do the InterVLAN routing (could be the firewall itself).

If using the switches as L3, they will serve as routers in that they will have their own IPs to route traffic.

Generally speaking I'll recommend Layer 3 switches if necessary or L2 switches if not having a complicated environment.

The above is very general and you need to take technical/budget/business considerations into account for this decision.

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Fri, 04 Jun 2010 19:06:15 GMT

Federico.

I will go for L3 switches and will enable IP rounting on all switces and may possibilly cofigure a static on firewall to learn all subnets on LAN.

I will post further if I have any problems during the configuration & installation.

Thanks for the advise.

Regards

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Sun, 06 Jun 2010 16:13:57 GMT

Federico.,

I have enabled the routing on the switches to allow PIX to learn all subnets that are available on the LAN. but due to this inter-vlan routing is also enabled and now all vlans can talk/ping/communicate to each other which is not a desired solution as each vlan is a separate office and doesn't require to speak to other vlan.

Can we avoid this situation some how ? Is the VACL is the good option ? I have not tried VACL before but not sure how hard it is to configure.

Any other options available to keep each vlan separated while still allow PIX to have reachability to all subnet/vlan on LAN.

Regards

Salman

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

Federico Coto Fajardo — Sun, 06 Jun 2010 16:29:29 GMT

Since you have configured the 3550s as layer 3 switches and they are routing and doing inter-VLAN routing, you can restrict traffic with regular ACLs.

There's no need for VACLs. VACLs are normally used when you want to restrict traffic between ports that belong to the same VLAN.

In this case you're trying to restrict traffic between VLANs (this is between IP subnets), so you can use regular extended ACLs.

Take a look:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swacl.html

Federico.

Re: Multiple NAT Pool/ Static NAT for diffenet Subnets.

s.nasheet — Sun, 06 Jun 2010 21:56:14 GMT

Federico,

Cheers mate.Thanks for the links. I will use ACL to block inter-vlan routing.

Regards

Salman