Static Policy NAT Question

Nicholas Beard · ‎04-25-2012

Hi All,

I have a query regarding static policy NAT within the following scenario -

I have the following simulated setup -

3 customers (CUS#1, CUS#2 and CUS#3)
Each customer has a server (CUS1-SRV#1 - 192.168.1.1/24, CUS2-SRV#1 - 192.168.2.1/24 and CUS3-SRV#1 - 192.168.3.1/24)
All servers are located in the same location sat behind 1 Cisco ASA firewall
Each customer server is VLAN'd for segregation (ignore security issues for the moment)
Each server will NAT as the same address (a single public /32)
Each customer has a remote premises with a public IP address space (CUS1-SITE#1 - 1.1.1.1/24, CUS2-SITE#1 - 2.2.2.2/24 and CUS3-SITE#1 - 3.3.3.3/24)

If each server translates from inside the firewall to outside the firewall as the same /32 address (PAT) they will all have internet access as the same public IP address. I then want to publish services from CUS1-SRV#1 to CUS1-SITE#1 and CUS2-SRV#1 to CUS2-SITE#1. So basically, publish each customers server services to their specific remote site.

I am aware that policy NAT exists and I can perform a NAT based on destination but what i would like to be able to do is the perform a sort of reverse remote site source address translation. CUS1-SITE#1 targets the public /32 address of the server and is then translated to the correct server internally for that customer (192.168.1.1). Is this at all possible?

Thanks

Nick

Jouni Forss · ‎04-25-2012

Hi,

What software are you running software are you running on the ASA?

Are you going to publish services with the same port like TCP/80 for each server?

- Jouni

Nicholas Beard · ‎04-25-2012

Jouni, thanks for the prompt response.

The software can be any version 8 IOS.

Each customer server will publish the same services such as - WWW (80), SMTP (25), RRAS (1723), RDP (3389) etc.

Jouni Forss · ‎04-25-2012

Hi,

This is something I have to test to able to answer it.

I mean its not a good idea in the first place to start providing services to public network with a single IP address. Would be good to have a small network of public IP addresses from the ISP.

What I am wondering is the fact that if we in this case know the source address of each host connecting to the servers, can we forward the same ports to different hosts since our NAT configuration would still state the different source address for each configuration.

I could probably test this at my own ASA later.

I got to say though that would be best to have a small /29 public network atleast from the ISP so you could dedicate a single public IP for each server. I'd imagine it would make your life easier in the log run.

I will check this thing out later today unless someone else gives an answer

- Jouni

Nicholas Beard · ‎04-25-2012

Thanks again Jouni, it is much appreciated.

I realise having a /29 range of public addresses would allow me to support further customers by performing one to one static mapping of addresses for each customer server. This was more of a "Can this be done?" question. Luckily, I am not actually in this situation

Thanks

Nick

Jouni Forss · ‎04-25-2012

Ok,

Might still test this just to see if it is possible. First gut feeling would be that its impossible to forward the same ports to different hosts. Unless you used a different mapped port for each customer. Which would probably cause more problems

- Jouni

Nicholas Beard · ‎04-25-2012

I would tend to agree, im just extremely curious as to the process of the ASA for this.

For example, if i configured the following -

access-list external_nat permit tcp 1.1.1.1 0.0.0.255 host 192.168.1.1 eq http

access-list external_nat permit tcp 1.1.1.1 0.0.0.255 eq http "/32 public IP"

static (outside,inside) 192.168.1.1 access-list external_nat

Would the ASA then NAT packets from 1.1.1.1/24 to 192.168.1.1 when the destination port is http and the source port is http to the public /32 ip address

I realise the source port is unlikely to be http but just for example purposes??