NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)
I would need some suggestions regarding a configuration I would like to implement.
Basically I want to create a New DMZ for a new Infrastructure we are setting up,new DMZ leg in the ASA.
Let`s say this DMZ Subnet is configured on the Core Router via VRF and with its own BGP address-family. Subnet for example 10.10.10.0/24.
Aight so far so good.
What i want to achieve is that for security matters I would like to put some very specific servers and services into this new Secure DMZ which will have limited access to the rest of the Hybrid Infrastructure, yet this cannot be done by changing IP Addresses as all of the servers are in live production and there is no downtime tolerated.
Let`s say one server is HTTP in Subnet 10.20.20.0/24 and it`s IP Address is 10.20.20.20
So, how do i actually NAT this servers 10.20.20.20 Port 80 for ex to the DMZ IP Address of 10.10.10.20 port 80 to port 8099, and then NAT this "NAT-ed" address to the Public IP Address of 188.8.131.52 and also accept the return traffic to take the same path back.
Have been trying couple combinations, yet I haven`t figured it out.
Alright I figured it out if someone runs across the same kind of request. You can achieve what i earlier requested by using a third party (vendor) Proxy Server or in case you actualy make a windows proxy server to assist you with that. Then you process with the NAT Policies and ACL-s by NAT-ing the Proxy Server IP and Port instead of the Original Source.
On the Proxy Server this can be achieved by using Reverse Proxy, in my case I used Symantec ProxySG (ex BlueCoat) which was the actual Proxy implemented.
Will keep this post updated in case I have got new info about it.
For this you would need to add another NAT capable device between the ASA and internet. So you would first NAT 10.20.20.20 to an IP to an unused IP of your choosing (lets say 184.108.40.206) towards the second NAT device and then on the second NAT device NAT 220.127.116.11 to 18.104.22.168.
-- Please remember to select a correct answer and rate helpful posts
Radius server configuration for 802.1XServer radius test1Address ipv4 10.1.1.1Key 1234!Server radius test2Address ipv4 10.1.1.2Key 1234!aaa group server radius TEST-grserver name test1server name test2!aaa authentication dot1x default group TEST-graaa aut...
One of the biggest concept in VPN Technologies is NAT Traversal, like NAT Traversal in VOIP deployment with SIP Protocol, the history is always inside the payload to solve the Incompatibility between NAT and IPSEC like the Incompatibility between SIP prot...
"What is this 'Orbital Query Corner' thing", you ask? It's the name of an occasional series of articles, each discussing one particular point or use case for the Orbital advanced search feature that is available in Cisco Secure Endpoint starting at ...
0. The Issue
On 20 July 2021, Microsoft issued an alert for CVE-2021-36934 "Windows Elevation of Privilege Vulnerability".  The problem in this case is an overly permissive Access Control List (ACL) applied to system files, including the Se...