On internal IP to many external IPs

Discussion in 'Cisco' started by Lars Bonnesen, Aug 22, 2006.

  1. I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
    adress to many external shifting IPs sequentially?

    That is have for instance the internal address a.a.a.a make one session
    through the firewall natting it to b.b.b.b, the next session automaticall to
    c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

    Regards, Lars.
    Lars Bonnesen, Aug 22, 2006
    #1
    1. Advertising

  2. * Lars Bonnesen wrote:
    > That is have for instance the internal address a.a.a.a make one session
    > through the firewall natting it to b.b.b.b, the next session automaticall to
    > c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


    You can nat a single local IP to different global IPs statically depending
    on the various foreign IPs you are connecting to.

    Use "nat ... access-list" for this purpose.
    Lutz Donnerhacke, Aug 22, 2006
    #2
    1. Advertising

  3. In article <44ead67a$0$12674$>,
    Lars Bonnesen <none@none.æøå> wrote:
    >I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
    >adress to many external shifting IPs sequentially?


    >That is have for instance the internal address a.a.a.a make one session
    >through the firewall natting it to b.b.b.b, the next session automaticall to
    >c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/gh_711.htm#wp1682258

    global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/no_711.htm#wp1651008

    Dynamic NAT translates a group of real addresses to a pool of
    mapped addresses that are routable on the destination network. The
    mapped pool can include fewer addresses than the real group. When a
    host you want to translate accesses the destination network, the
    security appliance assigns it an IP address from the mapped pool.
    The translation is added only when the real host initiates the
    connection. The translation is in place only for the duration of
    the connection, and a given user does not keep the same IP address
    after the translation times out
    Walter Roberson, Aug 22, 2006
    #3
  4. "Lutz Donnerhacke" <> skrev i en meddelelse
    news:-jena.de...
    >* Lars Bonnesen wrote:


    > You can nat a single local IP to different global IPs statically depending
    > on the various foreign IPs you are connecting to.
    >
    > Use "nat ... access-list" for this purpose.


    It should be regardless is connection IP - no policy NAT.

    Regards, Lars.
    Lars Bonnesen, Aug 22, 2006
    #4
  5. "Walter Roberson" <> skrev i en meddelelse
    news:HUFGg.440626$iF6.321594@pd7tw2no...
    > In article <44ead67a$0$12674$>,


    > Dynamic NAT translates a group of real addresses to a pool of
    > mapped addresses that are routable on the destination network. The
    > mapped pool can include fewer addresses than the real group. When a
    > host you want to translate accesses the destination network, the
    > security appliance assigns it an IP address from the mapped pool.
    > The translation is added only when the real host initiates the
    > connection. The translation is in place only for the duration of
    > the connection, and a given user does not keep the same IP address
    > after the translation times out


    Ok, This look like what I am asking for. I tried to configure dynamic NAT
    via ASDM (I am not familiar with IOS, but it looks like it's the same
    according to your links privided). But... it does not seem to have the
    intended function.

    What I have done is to create one "Global Address Pool" for the external
    interface. It includes a range of tre IP addresses. Then I have created two
    dynamic NAT entries. The original IP is their local address and the external
    address is translated to this global address pool. But what happens is that
    each internal access gets translated to the same external address. What I
    would want is that each internal address gets either a sequential or random
    address the the created global address pool. What have I done wrong?

    Is what I am trying to achive impossible?

    Regards, Lars.
    Lars Bonnesen, Aug 22, 2006
    #5
  6. In article <44ead67a$0$12674$>,
    "Lars Bonnesen" <none@none.æøå> wrote:

    > I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
    > adress to many external shifting IPs sequentially?
    >
    > That is have for instance the internal address a.a.a.a make one session
    > through the firewall natting it to b.b.b.b, the next session automaticall to
    > c.c.c.c, the next to d.d.d.d (all from a predefined pool)?


    Why would you need to do this?

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Aug 22, 2006
    #6
  7. "Barry Margolin" <> skrev i en meddelelse
    news:...
    > In article <44ead67a$0$12674$>,
    > "Lars Bonnesen" <none@none.æøå> wrote:
    >
    >> I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
    >> adress to many external shifting IPs sequentially?
    >>
    >> That is have for instance the internal address a.a.a.a make one session
    >> through the firewall natting it to b.b.b.b, the next session automaticall
    >> to
    >> c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

    >
    > Why would you need to do this?


    In order to have a given traffic not origination from the same IP.

    Regards, Lars.
    Lars Bonnesen, Aug 22, 2006
    #7
  8. I have tried a lot to get the description below to work. I am looking for a
    way to get an internal IP address NATed to several external IPs randomly.
    What I get from the configuration below is that the one internal IP gets
    NATed to the same external IP (even though I have created a pool) - is what
    I am looking for (NAT'ing one internal IP to several external IPs) possible?

    Regards, Lars.

    "Walter Roberson" <> skrev i en meddelelse
    news:HUFGg.440626$iF6.321594@pd7tw2no...
    > In article <44ead67a$0$12674$>,
    > Lars Bonnesen <none@none.æøå> wrote:
    >>I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP
    >>adress to many external shifting IPs sequentially?

    >
    >>That is have for instance the internal address a.a.a.a make one session
    >>through the firewall natting it to b.b.b.b, the next session automaticall
    >>to
    >>c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

    >
    > http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/gh_711.htm#wp1682258
    >
    > global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] |
    > interface}
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/no_711.htm#wp1651008
    >
    > Dynamic NAT translates a group of real addresses to a pool of
    > mapped addresses that are routable on the destination network. The
    > mapped pool can include fewer addresses than the real group. When a
    > host you want to translate accesses the destination network, the
    > security appliance assigns it an IP address from the mapped pool.
    > The translation is added only when the real host initiates the
    > connection. The translation is in place only for the duration of
    > the connection, and a given user does not keep the same IP address
    > after the translation times out
    Lars Bonnesen, Aug 30, 2006
    #8
  9. In article <44f60b7e$0$12622$>,
    Lars Bonnesen <none@none.æøå> wrote:
    >I have tried a lot to get the description below to work. I am looking for a
    >way to get an internal IP address NATed to several external IPs randomly.
    >What I get from the configuration below is that the one internal IP gets
    >NATed to the same external IP (even though I have created a pool) - is what
    >I am looking for (NAT'ing one internal IP to several external IPs) possible?


    If you use nat and a global address pool, then upon forming a connection
    to the outside, the internal host will be associated with a global
    IP address for the purposes of the connection. If another outgoing
    connection is formed while the first is in use, the same global IP
    will be used, even if the destination is different. (This behaviour
    is desireable for certain fixups, e.g. so that a remote host can
    form an ftp data connection back to the same IP: ftp to a different IP
    is blocked by some firewalls.) As long as there continue to be active
    flows associated with the internal host, the same global IP will be
    used. When the last flow associated with the internal host finishes,
    the association between that internal host and that global IP will
    be removed. When the internal host next tries to go out after that,
    it will be assigned whatever the next available global IP is.

    Note: in my experience, the PIX tends to assign global IPs as
    "first unused on the list", not at random and not circular. This is
    partly due to the definition of the effect of having multiple global
    pools associated with the NAT policy.
    Walter Roberson, Aug 31, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. scorpius

    Thunderbird revealing internal IPs

    scorpius, Nov 14, 2004, in forum: Firefox
    Replies:
    30
    Views:
    1,436
  2. Bob
    Replies:
    0
    Views:
    537
  3. HangaS
    Replies:
    2
    Views:
    914
    HangaS
    Apr 19, 2007
  4. dcpearso
    Replies:
    3
    Views:
    1,936
    dcpearso
    Mar 23, 2008
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,129
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page