cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

303
Views
0
Helpful
2
Replies
Highlighted
Beginner

NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)

Hello all,

 

I would need some suggestions regarding a configuration I would like to implement.

Basically I want to create a New DMZ for a new Infrastructure we are setting up,new DMZ leg in the ASA.

Let`s say this DMZ Subnet is configured on the Core Router via VRF and with its own BGP address-family. Subnet for example 10.10.10.0/24.

Aight so far so good.

 

What i want to achieve is that for security matters I would like to put some very specific servers and services into this new Secure DMZ which will have limited access to the rest of the Hybrid Infrastructure, yet this cannot be done by changing IP Addresses as all of the servers are in live production and there is no downtime tolerated.

Let`s say one server is HTTP in Subnet 10.20.20.0/24 and it`s IP Address is 10.20.20.20

 

So, how do i actually NAT this servers 10.20.20.20 Port 80 for ex to the DMZ IP Address of 10.10.10.20 port 80 to port 8099, and then NAT this "NAT-ed" address to the Public IP Address of 55.55.55.55 and also accept the return traffic to take the same path back.

 

Have been trying couple combinations, yet I haven`t figured it out.

Looking forward to suggestions.

 

Thank You,

Rigels Sino

2 REPLIES 2
Highlighted
Beginner

Re: NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)

Alright I figured it out if someone runs across the same kind of request. You can achieve what i earlier requested by using a third party (vendor) Proxy Server or in case you actualy make a windows proxy server to assist you with that. Then you process with the NAT Policies and ACL-s by NAT-ing the Proxy Server IP and Port instead of the Original Source.

On the Proxy Server this can be achieved by using Reverse Proxy, in my case I used Symantec ProxySG (ex BlueCoat) which was the actual Proxy implemented.

 

Thanks,

Will keep this post updated in case I have got new info about it.

 

Highlighted
VIP Advisor

Re: NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)

For this you would need to add another NAT capable device between the ASA and internet.  So you would first NAT 10.20.20.20 to an IP to an unused IP of your choosing (lets say 1.1.1.20) towards the second NAT device and then on the second NAT device NAT 1.1.1.20 to 55.55.55.55.

--
Please remember to select a correct answer and rate helpful posts