Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > On internal IP to many external IPs

Reply
Thread Tools

On internal IP to many external IPs

 
 
Lars Bonnesen
Guest
Posts: n/a
 
      08-22-2006
I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
adress to many external shifting IPs sequentially?

That is have for instance the internal address a.a.a.a make one session
through the firewall natting it to b.b.b.b, the next session automaticall to
c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

Regards, Lars.


 
Reply With Quote
 
 
 
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      08-22-2006
* Lars Bonnesen wrote:
> That is have for instance the internal address a.a.a.a make one session
> through the firewall natting it to b.b.b.b, the next session automaticall to
> c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


You can nat a single local IP to different global IPs statically depending
on the various foreign IPs you are connecting to.

Use "nat ... access-list" for this purpose.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-22-2006
In article <44ead67a$0$12674$(E-Mail Removed)> ,
Lars Bonnesen <none@none.זרו> wrote:
>I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
>adress to many external shifting IPs sequentially?


>That is have for instance the internal address a.a.a.a make one session
>through the firewall natting it to b.b.b.b, the next session automaticall to
>c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


http://www.cisco.com/univercd/cc/td/....htm#wp1682258

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

http://www.cisco.com/univercd/cc/td/....htm#wp1651008

Dynamic NAT translates a group of real addresses to a pool of
mapped addresses that are routable on the destination network. The
mapped pool can include fewer addresses than the real group. When a
host you want to translate accesses the destination network, the
security appliance assigns it an IP address from the mapped pool.
The translation is added only when the real host initiates the
connection. The translation is in place only for the duration of
the connection, and a given user does not keep the same IP address
after the translation times out
 
Reply With Quote
 
Lars Bonnesen
Guest
Posts: n/a
 
      08-22-2006

"Lutz Donnerhacke" <(E-Mail Removed)> skrev i en meddelelse
news:(E-Mail Removed)-jena.de...
>* Lars Bonnesen wrote:


> You can nat a single local IP to different global IPs statically depending
> on the various foreign IPs you are connecting to.
>
> Use "nat ... access-list" for this purpose.


It should be regardless is connection IP - no policy NAT.

Regards, Lars.


 
Reply With Quote
 
Lars Bonnesen
Guest
Posts: n/a
 
      08-22-2006

"Walter Roberson" <(E-Mail Removed)> skrev i en meddelelse
news:HUFGg.440626$iF6.321594@pd7tw2no...
> In article <44ead67a$0$12674$(E-Mail Removed)> ,


> Dynamic NAT translates a group of real addresses to a pool of
> mapped addresses that are routable on the destination network. The
> mapped pool can include fewer addresses than the real group. When a
> host you want to translate accesses the destination network, the
> security appliance assigns it an IP address from the mapped pool.
> The translation is added only when the real host initiates the
> connection. The translation is in place only for the duration of
> the connection, and a given user does not keep the same IP address
> after the translation times out


Ok, This look like what I am asking for. I tried to configure dynamic NAT
via ASDM (I am not familiar with IOS, but it looks like it's the same
according to your links privided). But... it does not seem to have the
intended function.

What I have done is to create one "Global Address Pool" for the external
interface. It includes a range of tre IP addresses. Then I have created two
dynamic NAT entries. The original IP is their local address and the external
address is translated to this global address pool. But what happens is that
each internal access gets translated to the same external address. What I
would want is that each internal address gets either a sequential or random
address the the created global address pool. What have I done wrong?

Is what I am trying to achive impossible?

Regards, Lars.


 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      08-22-2006
In article <44ead67a$0$12674$(E-Mail Removed)> ,
"Lars Bonnesen" <none@none.זרו> wrote:

> I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
> adress to many external shifting IPs sequentially?
>
> That is have for instance the internal address a.a.a.a make one session
> through the firewall natting it to b.b.b.b, the next session automaticall to
> c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


Why would you need to do this?

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
Lars Bonnesen
Guest
Posts: n/a
 
      08-22-2006

"Barry Margolin" <(E-Mail Removed)> skrev i en meddelelse
news:(E-Mail Removed)...
> In article <44ead67a$0$12674$(E-Mail Removed)> ,
> "Lars Bonnesen" <none@none.זרו> wrote:
>
>> I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
>> adress to many external shifting IPs sequentially?
>>
>> That is have for instance the internal address a.a.a.a make one session
>> through the firewall natting it to b.b.b.b, the next session automaticall
>> to
>> c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

>
> Why would you need to do this?


In order to have a given traffic not origination from the same IP.

Regards, Lars.


 
Reply With Quote
 
Lars Bonnesen
Guest
Posts: n/a
 
      08-30-2006
I have tried a lot to get the description below to work. I am looking for a
way to get an internal IP address NATed to several external IPs randomly.
What I get from the configuration below is that the one internal IP gets
NATed to the same external IP (even though I have created a pool) - is what
I am looking for (NAT'ing one internal IP to several external IPs) possible?

Regards, Lars.

"Walter Roberson" <(E-Mail Removed)> skrev i en meddelelse
news:HUFGg.440626$iF6.321594@pd7tw2no...
> In article <44ead67a$0$12674$(E-Mail Removed)> ,
> Lars Bonnesen <none@none.זרו> wrote:
>>I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
>>adress to many external shifting IPs sequentially?

>
>>That is have for instance the internal address a.a.a.a make one session
>>through the firewall natting it to b.b.b.b, the next session automaticall
>>to
>>c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

>
> http://www.cisco.com/univercd/cc/td/....htm#wp1682258
>
> global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] |
> interface}
>
> http://www.cisco.com/univercd/cc/td/....htm#wp1651008
>
> Dynamic NAT translates a group of real addresses to a pool of
> mapped addresses that are routable on the destination network. The
> mapped pool can include fewer addresses than the real group. When a
> host you want to translate accesses the destination network, the
> security appliance assigns it an IP address from the mapped pool.
> The translation is added only when the real host initiates the
> connection. The translation is in place only for the duration of
> the connection, and a given user does not keep the same IP address
> after the translation times out



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      08-31-2006
In article <44f60b7e$0$12622$(E-Mail Removed)> ,
Lars Bonnesen <none@none.זרו> wrote:
>I have tried a lot to get the description below to work. I am looking for a
>way to get an internal IP address NATed to several external IPs randomly.
>What I get from the configuration below is that the one internal IP gets
>NATed to the same external IP (even though I have created a pool) - is what
>I am looking for (NAT'ing one internal IP to several external IPs) possible?


If you use nat and a global address pool, then upon forming a connection
to the outside, the internal host will be associated with a global
IP address for the purposes of the connection. If another outgoing
connection is formed while the first is in use, the same global IP
will be used, even if the destination is different. (This behaviour
is desireable for certain fixups, e.g. so that a remote host can
form an ftp data connection back to the same IP: ftp to a different IP
is blocked by some firewalls.) As long as there continue to be active
flows associated with the internal host, the same global IP will be
used. When the last flow associated with the internal host finishes,
the association between that internal host and that global IP will
be removed. When the internal host next tries to go out after that,
it will be assigned whatever the next available global IP is.

Note: in my experience, the PIX tends to assign global IPs as
"first unused on the list", not at random and not circular. This is
partly due to the definition of the effect of having multiple global
pools associated with the NAT policy.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HSRP: virtual IPs without real IPs? Martijn Lievaart Cisco 4 02-15-2012 08:16 AM
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
Access from internal hosts to internal servers using external address HangaS Cisco 2 04-19-2007 10:14 AM
cisco ios nat from internal->external->internal Bob Cisco 0 12-11-2006 01:05 PM
Checking IP addresses against lists of IPs, partial IPs, and netmasks. Adam Funk Perl Misc 12 07-05-2005 01:49 PM



Advertisments