Single source ip mapped ( nat ) to different ip addresses

domindiag1 · ‎06-07-2013

I have a situation with some lab instruments that all have the same IP address 192.168.100.1. This is built into firmware and changing it is not possible. So for me to have these instruments connect to specific hosts for managment purposes I need to figure a way to map ( nat ) the 192.168.100.1 address to a different address 192.168.200.1, 192.168.200.2.....etc. Then have that address connect to a specific host addresses 192.168.200.1 -> 192.168.8.1 etc. I have a cisco asa 5500 ( 5505 or 5520 9.1) that I would like to use to route and nat this traffic. Would twice NAT work here or do i have an issue with the single IP in translation table always going to wrong or same instrument?

nat (instr_if, core_if) source static obj-192.168.100.1 instr_nat1 destination static real_host1 real_host1

nat (instr_if, core_if) source static obj-192.168.100.1 instr_nat2 destination static real_host2 real_host2

.

nat (instr_if,core_if) source static obj-192.168.100.1 instr_nat12 destinantion static real_host12 real_host12

Julio Carvajal · ‎06-07-2013

Hello Matthew,

You can do this with twice Nat but my question is

As long as they live on different interfaces you can perform the NAT rule,

The configuration looks good

Regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

domindiag1 · ‎06-07-2013

The instruments all have a different ethernet network interface if that is what you mean...but if you mean the asa will have a separate interface for each instrument, no that would not be the case.

Julio Carvajal · ‎06-07-2013

Hello Matthew,

If they are on the same network then how is the traffic going to reach the FW,

The only way that I can see is with U-turn

In this scenario

You will configure each application or host to connect to the other host via a mapped IP address, and this Mapped IP will be set on the ASA,

What is the version of your ASA?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

domindiag1 · ‎06-07-2013

Through a layer two switch which the firewall will be connected to.

each instrument has same ip and they would be mapped to a IP that would be different for each connection on the asa then routed to the host via a layer 3 switch, obviously an interface ( core_if ) on the asa is connected to the core ( layer 3 switch )

Version 9.11

domindiag1 · ‎06-07-2013

this might help....

Instrument ---> layer 2 switch --->FW ---> layer 3 switch ---> host ( server )

Julio Carvajal · ‎06-07-2013

Hello Matthew,

okey so the communication would be from the Instrument behind the firewall to the host (in front of the firewall)

Is that true

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

domindiag1 · ‎06-10-2013

Actually, yes, I guess you can say that since I am nat the address of the instrument to different IP's to communicate with the host which could be viewed as in front of the firewall. The host IP is its real IP and the instrument IP is Nat'ed to allow a different IP to be assigned since the instrument itself has a hardcoded IP in the firmware and will always be the same for all the instruments (192.168.100.1). Don't ask me why the manufacturer did this, but we need to try to make this work since it can't be changed on the instrument side. There are othe ways around this by attaching a separate router to each instrument and nat-ing an ip that way. But buying and supporting multiple routers is a pain.

Julio Carvajal · ‎06-10-2013

Hello Matthew,

Okey,

The thing is that the firewall will not be able to differentiate between one IP and the other so it will perform the NAT rule that matches the exact connection,

What I mean by this is that you can set a different NAT policy using the same source with each different destination address,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC