cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3974
Views
5
Helpful
47
Replies

NAT with multiple external IPs and multiple internal IPs sharing public specific IPs

shell_uk_
Level 1
Level 1

Hi all

I can't quit hit the nail on the head with this one. Any help would be very much appreciated please :)

Cisco ASA 5505
Running 8.4(1)

Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).

Public IP range: 12.34.56.1 - 12.34.56.5

Internal IP range: 192.168.1.1 - 192.168.1.254

12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.

12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1

12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.

Bits of the config I think are relevant (please say if I've missed something):

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

object network LAN
 subnet 192.168.1.0 255.255.255.0
object network NAT-IP-1
 host 12.34.56.1
object network server-2
 host 192.168.1.2
object network server-3
 host 192.168.1.3
object-group network SOURCE-ADDRESSES-2
 network-object host 192.168.1.2
 network-object host 192.168.1.3

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

object network LAN
 nat (inside,outside) dynamic interface
object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https

Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.

This results in this in the log:

4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]

If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   12.34.56.1    255.255.255.248 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What am I messing up with the NATing/port forwarding please?

Thank you!

Edit: Sorry John. Typo - corrected!

1 Accepted Solution

Accepted Solutions

Am I missing something that will have broken here?

As long as your specific port translations are higher up in the order you should be okay.

The only thing I would say, and it is just a suggestion, is that with your static statements for the whole IPs ie. the last two you are in effect opening up every port to server-2 (but not server-3 because of what I explained earlier).

Obviously you have an acl to control access but you could if you wanted remove the last two statements and replace it with your original dynamic NAT statement.

As long as it still came after the more specific static port translations in the same section then it should work fine.

That way you are not opening up any ports that may accidentally be allowed in your acl.

So it would basically be the first option I suggested in a previous post.

But it is entirely up to you.

Jon

View solution in original post

47 Replies 47

mlovellette
Level 4
Level 4

In the config you provided I do not see what NAT-IP-2 is referencing in the following line:

 

"object network server-2 nat (inside,outside) static NAT-IP-2 service tcp https https"

Corrected it, sorry.

I daftly changed the example IPs around after writing the post so they related better (well that was the aim) to what I'm actually dealing with but messed up :(

Jon Marshall
Hall of Fame
Hall of Fame

Can you post a "sh nat" ?

Jon

Jon:

Saw your original reply on the notification email. Was my typo sorry. Corrected it in the original post now. I believe that nat line is correct.

# sh nat
Manual NAT Policies (Section 1)
1 <vpn stuff>
2 <vpn stuff>
3 <port translation for general IP>
4 <another port translation for general IP>
5 <another>
6 (inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
    translate_hits = 10828, untranslate_hits = 9773
(I'm not if this count is for when I got it working for just one server at one point.. not worked out again how I did that)

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static server-4 12.34.56.2
    translate_hits = 11406622, untranslate_hits = 576964
2 (inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static server-5 12.34.56.3
    translate_hits = 97036, untranslate_hits = 1149482
4 (inside) to (outside) source static server-6 12.34.56.4
    translate_hits = 65, untranslate_hits = 174
5 <vpn stuff>
6 (inside) to (outside) source dynamic LAN interface
    translate_hits = 63479715, untranslate_hits = 53493227

This is your problem ie, you have in section 1 -

(inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

and then in section 2

(inside) to (outside) source static server-2 NAT-IP-1 service tcp https https

the first rule is matching the inbound traffic so it never gets to your section 2 port mappings.

What do you actually want to do in terms of the outbound traffic from those servers ?

Jon
 

Everything except the specified stuff goes out and in on 12.34.56.5.

I need these 2 internal servers to share the public IP '12.34.56.1' both in and out basically.

Edit: And 12.34.56.2/.3/.4 are all dedicated to specific internal IPs. This works fine.

Can you post a full "sh nat" without editing anything out ?

Jon

Hello,

Please find below mentioned your requirement and confirmed.

1. Server 192.168.1.2 and 192.168.1.3 will use ip 12.34.65.1 for traffic 443 and 80

2. Rest of the network will use 12.35.56.5 for coummunication

Jeevak,

Public IP..      LAN IP..

12.34.56.1     192.168.1.2 (port 443) and 192.168.1.3 (port 80)

12.34.56.2     192.168.1.4 (various ports)

12.34.56.3     192.168.1.10 (various ports)

12.34.56.4     192.168.1.50 (various ports)

12.34.56.5     Any 192.168.1.* IP not mentioned above

 

Thanks

You can try doing the following

no nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

nat (inside,outside) after-auto source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

I don't think it would ever get there because there is a general dynamic rule in section 2 for all LAN IPs.

Jon

Sorry Jon, I did not see your comment from earlier and yes you are correct.

No problem, we are all just trying to help and post 8.3 NAT isn't the easiest thing to work with.

I get confused by it all the time :-)

Jon

Thank you every one. Very much appreciated.

I've read replies, I'm going to through them again but to clarify what I am trying to do:

Public IP 12.34.56.1
192.168.1.2 and 192.168.1.3 should use (share) 12.34.56.1 for all their out going connections. I also need to map ports such as 443 to 192.168.1.2 and port 80 to 192.168.1.3 from the public IP 12.34.56.1.
With the config posted in my original post the outgoing IP bit works fine but not the incoming port forwarding.

Public IP 12.34.56.2    
192.168.1.4 only should use 12.34.56.2 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.2. This all works fine.

Public IP 12.34.56.3
192.168.1.10 only should use 12.34.56.3 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.3. This all works fine.

Public IP 12.34.56.4
192.168.1.50 only should use 12.34.56.4 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.4. This all works fine.

Public IP 12.34.56.5
Any other internal hosts (so anything 192.168.1.* that is not 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.10, or 192.168.1.50) should use 12.34.56.5 for their out going IP. Works fine.

Review Cisco Networking for a $25 gift card