Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
2
Replies

NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)

Rigels_Sino
Level 1
Level 1

‎06-12-2020 04:41 AM

Hello all,

 

I would need some suggestions regarding a configuration I would like to implement.

Basically I want to create a New DMZ for a new Infrastructure we are setting up,new DMZ leg in the ASA.

Let`s say this DMZ Subnet is configured on the Core Router via VRF and with its own BGP address-family. Subnet for example 10.10.10.0/24.

Aight so far so good.

 

What i want to achieve is that for security matters I would like to put some very specific servers and services into this new Secure DMZ which will have limited access to the rest of the Hybrid Infrastructure, yet this cannot be done by changing IP Addresses as all of the servers are in live production and there is no downtime tolerated.

Let`s say one server is HTTP in Subnet 10.20.20.0/24 and it`s IP Address is 10.20.20.20

 

So, how do i actually NAT this servers 10.20.20.20 Port 80 for ex to the DMZ IP Address of 10.10.10.20 port 80 to port 8099, and then NAT this "NAT-ed" address to the Public IP Address of 55.55.55.55 and also accept the return traffic to take the same path back.

 

Have been trying couple combinations, yet I haven`t figured it out.

Looking forward to suggestions.

 

Thank You,

Rigels Sino

0 Helpful
2 Replies 2

Rigels_Sino
Level 1
Level 1

‎06-12-2020 02:10 PM

Alright I figured it out if someone runs across the same kind of request. You can achieve what i earlier requested by using a third party (vendor) Proxy Server or in case you actualy make a windows proxy server to assist you with that. Then you process with the NAT Policies and ACL-s by NAT-ing the Proxy Server IP and Port instead of the Original Source.

On the Proxy Server this can be achieved by using Reverse Proxy, in my case I used Symantec ProxySG (ex BlueCoat) which was the actual Proxy implemented.

 

Thanks,

Will keep this post updated in case I have got new info about it.

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎06-12-2020 02:11 PM

For this you would need to add another NAT capable device between the ASA and internet.  So you would first NAT 10.20.20.20 to an IP to an unused IP of your choosing (lets say 1.1.1.20) towards the second NAT device and then on the second NAT device NAT 1.1.1.20 to 55.55.55.55.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card