Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
5
Helpful
9
Replies

Object based NAT - Natting two public IP to one private IP

raghavendrasomiyani
Level 1
Level 1

‎03-07-2018 08:40 AM - edited ‎02-21-2020 07:29 AM

Hello Experts,

 

I need your help with a configuration bit for Object based NAT - Natting two public IP to one private IP.

 

I am asked to nat two public IP to one private IP 8.xxx.xx.90 and 8.xxx.xx.92 to nat to 10.53.19.8.  8.xxx.xx.92 nats to 10.53.19.8 (Already in place)

 

Below is the configuration we currently have 8.xxx.xx.90 nats to 10.53.12.14 and 8.xxx.xx.92 nats to 10.53.19.8.

 

Need configuration bits to achieve 8.xxx.xx.90 and 8.xxx.xx.92 to nat to 10.53.19.8

 

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.14

object network SIP3
host 10.53.19.8

 

Regards,

Raghav.

Labels:
0 Helpful
9 Replies 9

V S Narayana Chivukula
Cisco Employee
Cisco Employee

‎03-07-2018 09:14 PM

Hi Raghav,

 

Translating multiple mapped IP to one real IP address is not possible in static NAT.

 

If the real IP address is running multiple services then you may use static PAT to translate one service of the real IP to each mapped IP. 

 

But in static NAT you cannot map multiple mapped IPs to 1 real IP.

 

Thanks,

Narayana Rao.

raghavendrasomiyani
Level 1
Level 1
In response to V S Narayana Chivukula

‎03-08-2018 10:29 AM

Hi Narayana,

Thanks for your response.

So what is the best method to have 2 public IP's nat to one Private address. I am not restricted to object based nat only, I am looking/open for other options as well.

Key is to make it work.

Regards,
Raghav.
0 Helpful

Florin Barhala
Level 6
Level 6
In response to raghavendrasomiyani

‎03-09-2018 01:41 AM

Just do service based nat, instead of 1:1 nat aka Static NAT.

It doesn't matter if it's a rule nat or an object NAT, Static NAT doesn't work on your scenario requirements.
0 Helpful

raghavendrasomiyani
Level 1
Level 1
In response to Florin Barhala

‎03-11-2018 06:30 PM - edited ‎03-11-2018 06:32 PM

I created a new object SIP 4 with same private host IP of SIP3 (SIP3 and SIP4 has same private IP), but natting each of them independently (SIP3 to 8.xxx.xx.92) and (SIP4 to 8.xxx.xx.90). Let me know if below should work or will run into any (what) problems.
object network SIP3
host 10.53.19.8
exit
object network SIP4
host 10.53.19.8
exit
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92
exit
object network SIP4
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
exit

Regards,
Raghav

0 Helpful

Florin Barhala
Level 6
Level 6
In response to raghavendrasomiyani

‎03-12-2018 08:22 AM

It will work partially at best, but not as intended.

 

Simplest solution for you, add a secondary IP on that 10.53.19.8 server keep this config

 

object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92
exit

then map 8.xxx.xx.90 to the secondary local IP

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to V S Narayana Chivukula

‎03-13-2018 05:01 AM

Hi,

 

It is possible to do a static NAT for a real IP with multiple NAT IPs.

It's called one to many static NAT.

 

For example, if the real IP would be 10.10.10.10 and your 'public' IPs would be 5.5.5.5 and 5.5.5.7, you would have to configure something like:

 

!

object-group network MY_PUBLIC_IPs
 network-object host 5.5.5.5
 network-object host 5.5.5.7

!

object network HOST_10.10.10.10
 host 10.10.10.10

!

nat (inside,outside) source static HOST_10.10.10.10 MY_PUBLIC_IPs

!

 

 

Take into account what whenver the real host connects to the outside world (outbound session) it would always use the first IP configured inside the NAT object (5.5.5.5).

 

Still, anyone from the outside (inbound) can connect to the real host using any NAT IP (both 5.5.5.5 and 5.5.5.7).

 

Thanks,

Octavian

0 Helpful

Ajay Saini
Level 7
Level 7

‎03-12-2018 09:31 PM - edited ‎03-12-2018 09:32 PM

Hello,

 

From the description, you need to NAT 2 public ip addresses to point to a single real ip address for inbound access, correct?

 

Then I see you have a mapping for 2 inside servers

 

 

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.14

object network SIP3
host 10.53.19.8

 

Do you wish to remove the NAT for 10.53.12.14 and point both public ip addresses to 10.53.12.8?

 

If yes, this should be possible, but there are some catches. If you confirm my understanding above, I can suggest few steps.

 

Mulitple public ip address can be very well mapped to a single real server ip address and its a valid design.

 

-

HTH
AJ

0 Helpful

raghavendrasomiyani
Level 1
Level 1
In response to Ajay Saini

‎03-14-2018 08:47 AM

Hi Ajay,

Sorry, I got caught up with priority issues and couldn't keep a check here.

Yes, your understanding is correct.

We wish to remove the NAT for 10.53.12.14 (this will get decom) and point both public ip addresses (8.xxx.xx.90 and 8.xxx.xx.92) to 10.53.12.8.

Regards,
Raghav.
0 Helpful

Ajay Saini
Level 7
Level 7
In response to raghavendrasomiyani

‎03-14-2018 09:49 PM

Hello,

 

This should be feasible, all we have to do is to create 2 NAT statements. Inbound, both public ip address will work, but for inbound, the first in order will work when the server will initiate traffic towards internet.

 

 

With object NAT, your config should look like:

 

object network SIP1
nat (INSIDE,OUTSIDE) static 8.xxx.xx.90
object network SIP3
nat (INSIDE,OUTSIDE) static 8.xxx.xx.92

object network SIP1
host 10.53.12.8

object network SIP3
host 10.53.19.8

 

HTH

AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card