01-04-2018 12:02 AM - edited 02-21-2020 07:04 AM
Hi all,
is it possible to hide a lot (think Internet) of public IP addresses with NAT on an IOS device? By hide I mean translate to the RFC1918 namespace.
The logical construct would be:
ip nat outside source...
but this isn't suited to many outside local IPs as you either need individual static mappings or a pool; neither being sufficient given the expansive namespace of public IPs.
If there is a solution can you please attach an example configuration?
Thanks,
Scott
01-04-2018 03:07 AM
You can certainly present public IPs as private IPs to internal clients if that is what you are asking.
But it sounds like you are talking about the entire internet IP address space which is totally impractical.
Perhaps you could clarify exactly what it is you are trying to achieve ?
Jon
01-04-2018 04:38 AM
Hi Jon,
When you say it's possible, do you mean the way I've already described (and discounted)? Or some other way?
What I'm trying to achieve is the hiding of a subset of the public address namespace using the private address namespace. I understand that on a one-to-one mapping that is impractical, however with overloading, which I do not see possible with the outside source function, it would be reasonable to hide a lot of multiplexed connections (TCP,UDP) behind a number of private IPs. (eg. a 10.a.b.0/24 could support ≈16 million IPs (assuming each public IP made a single connection).
My understanding is that this is possible on ASAs.
Scott
01-04-2018 05:32 AM
So you mean hide any incoming public IPs behind a subset of private IPs.
If so you are correct about IOS (as far as I know), there is no overload from outside to inside so if you want to do it dynamically you need a pool of private IPs equal in size to the number of public IPs.
And yes you can overload with an ASA.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide