Solved: Re: NAT inbound 2 IPs to 1 internal IP, possible?

chuck007 · ‎02-02-2010

I just wanted to double check before giving up. There is a server on the DMZ that only supports a single IP address. My client wants to translate 2 public IPs to this one IP on the DMZ. Is that possible?

JORGE RODRIGUEZ · ‎02-02-2010

Chuck,

As I read your requirements:

I just wanted to double check before giving up. There is a server on the DMZ that only supports a single IP address. My client wants to translate 2 public IPs to this one IP on the DMZ. Is that possible?

It is possible by working it around it using policy nat.

example:

say your server in dmz ip is 50.50.50.50, and your two public IPs are 20.20.20.20 and 20.20.20.21, and lets say service port tcp 80 for inbound access using any public IP in this example will funnel the traffic to 50.50.50.50 on port 80, you can apply same principle for different tcp ports or more public IP addresses etc..

access-list policy_nat_http1 extended permit ip host 50.50.50.50 any
access-list policy_nat_http2 extended permit ip host 50.50.50.50 any

static (dmz,outside) 20.20.20.20 access-list policy_nat_http1
static (dmz,outside) 20.20.20.21 access-list policy_nat_http2

access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 80 log
access-list outside_access_in extended permit tcp any host 20.20.20.21 eq 80 log

hope this helps a bit

Regards

Jorge Rodriguez

View solution in original post

qbakies11 · ‎02-02-2010

I'm not 100% certain but I was trying to do this last summer and couldn't find any way to do it. All the documentation I was able to find stated static mappings were only able to be 1-to-1.

chuck007 · ‎02-02-2010

Yip, I arrived at the same conclusion as the ASA/PIX primarily looks at source/destination and port to match up on the NAT table. I think in order for this to work in theory, the firewall (maybe Linux) will have to keep track of additional properties of the packet so the return packets from the internal single IP host can be separated into two distinct conversation streams. I guess as long as the firewall can distinguish or tag the two streams it may work.

Existing Cisco ASA (not permitted and does not work):

200.200.200.10:2000 ==> 10.10.10.10:80

10.10.10.10:80 ==> 200.200.200.10:2000

200.200.200.11:2000 ==> 10.10.10.10:80

10.10.10.10:80 ==> 200.200.200.10:2000 (second IP/stream fails because ASA only permits 1:1 NAT)

Theoretical firewall NAT:

200.200.200.10:2000+StreamTag1 ==> 10.10.10.10:80+StreamTag1

10.10.10.10:80+StreamTag1 ==> 200.200.200.10:2000+StreamTag1

200.200.200.11:2000+StreamTag2 ==> 10.10.10.10:80+StreamTag2

10.10.10.10:80+StreamTag2 ==> 200.200.200.11:2000+StreamTag2

With some kind of a packet stream tagging or the firewall is able to some how separate the two streams regardless of the IP and port, this NAT might be possible. Perhaps a Linux firewall that looks at more than just IP and port may work. Maybe Cisco can add this as a feature enhancement?

I'm still researching and will post if I find something.

--chuck

chuck007 · ‎02-02-2010

Ok, I think I found a solution, but you'll have to place the server behind a load balancer (like F5 BigIPs).

Web----FW----LB----Server

Do the NAT on your firewall as you normally would:
200.200.200.10 = 10.10.10.10
200.200.200.11 = 10.10.10.11

On the load balancer create two virtual servers pointing to the same pool IPs:
VS1: 10.10.10.10 >> 172.16.1.10
VS2: 10.10.10.11 >> 172.16.1.10

I think the load balancer uses a combination of source and destination SNATs to track the separate streams thus making this possible. This ability is not implemented in the Cisco ASA/PIX. Maybe it has security implications if used at the firewall level. Oh well.

--chuck

Kureli Sankar · ‎02-02-2010

That is correct. You cannot do this on the ASA. You will get an error message.

ERROR: duplicate of existing static. There are other Cisco products that do this.

-KS

JORGE RODRIGUEZ · ‎02-02-2010

Chuck,

As I read your requirements:

I just wanted to double check before giving up. There is a server on the DMZ that only supports a single IP address. My client wants to translate 2 public IPs to this one IP on the DMZ. Is that possible?

It is possible by working it around it using policy nat.

example:

say your server in dmz ip is 50.50.50.50, and your two public IPs are 20.20.20.20 and 20.20.20.21, and lets say service port tcp 80 for inbound access using any public IP in this example will funnel the traffic to 50.50.50.50 on port 80, you can apply same principle for different tcp ports or more public IP addresses etc..

access-list policy_nat_http1 extended permit ip host 50.50.50.50 any
access-list policy_nat_http2 extended permit ip host 50.50.50.50 any

static (dmz,outside) 20.20.20.20 access-list policy_nat_http1
static (dmz,outside) 20.20.20.21 access-list policy_nat_http2

access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 80 log
access-list outside_access_in extended permit tcp any host 20.20.20.21 eq 80 log

hope this helps a bit

Regards

Jorge Rodriguez

chuck007 · ‎02-02-2010

Jorgemcse,

This looks like what I am searching for. I think it may work and I don't have to get additional equipment. I will setup a lab and test it out. Thanks.

--chuck

Kureli Sankar · ‎02-02-2010

Chuck,

This is a hack the firewall may take the lines but, it will not work. Think about this both translations are in the table.

Request comes in for the second IP and the response from the server may take the first translation in the table. Test it out.

-KS

JORGE RODRIGUEZ · ‎02-02-2010

KS,

Not really clear what you mean this is a hack - It will work, this is a policy nat process.

Jorge Rodriguez

JORGE RODRIGUEZ · ‎02-02-2010

Chuck thanks for the nice rating, I garantee you inbound connections will work using both public IPs towards dmz host the way provided in example , this is not the case for outbound , outbound will always pick the fist nat..

I disagree with KS saying inbound will come in one IP and go out dfferent IP, firewall is statefull so this is unlikely to happen.

Regards

Jorge Rodriguez