On internal IP to many external IPs

I is possible to configure a ASA5520 with ASDM 5.0 to NAT an internal IP adress to many external shifting IPs sequentially?

That is have for instance the internal address a.a.a.a make one session through the firewall natting it to b.b.b.b, the next session automaticall to c.c.c.c, the next to d.d.d.d (all from a predefined pool)?

Regards, Lars.

Reply to
Lars Bonnesen
Loading thread data ...

You can nat a single local IP to different global IPs statically depending on the various foreign IPs you are connecting to.

Use "nat ... access-list" for this purpose.

Reply to
Lutz Donnerhacke

formatting link
global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

formatting link
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out

Reply to
Walter Roberson

It should be regardless is connection IP - no policy NAT.

Regards, Lars.

Reply to
Lars Bonnesen

"Walter Roberson" skrev i en meddelelse news:HUFGg.440626$iF6.321594@pd7tw2no...

Ok, This look like what I am asking for. I tried to configure dynamic NAT via ASDM (I am not familiar with IOS, but it looks like it's the same according to your links privided). But... it does not seem to have the intended function.

What I have done is to create one "Global Address Pool" for the external interface. It includes a range of tre IP addresses. Then I have created two dynamic NAT entries. The original IP is their local address and the external address is translated to this global address pool. But what happens is that each internal access gets translated to the same external address. What I would want is that each internal address gets either a sequential or random address the the created global address pool. What have I done wrong?

Is what I am trying to achive impossible?

Regards, Lars.

Reply to
Lars Bonnesen

Why would you need to do this?

Reply to
Barry Margolin

"Barry Margolin" skrev i en meddelelse news: snipped-for-privacy@comcast.dca.giganews.com...

In order to have a given traffic not origination from the same IP.

Regards, Lars.

Reply to
Lars Bonnesen

I have tried a lot to get the description below to work. I am looking for a way to get an internal IP address NATed to several external IPs randomly. What I get from the configuration below is that the one internal IP gets NATed to the same external IP (even though I have created a pool) - is what I am looking for (NAT'ing one internal IP to several external IPs) possible?

Regards, Lars.

"Walter Roberson" skrev i en meddelelse news:HUFGg.440626$iF6.321594@pd7tw2no...

formatting link

formatting link

Reply to
Lars Bonnesen

If you use nat and a global address pool, then upon forming a connection to the outside, the internal host will be associated with a global IP address for the purposes of the connection. If another outgoing connection is formed while the first is in use, the same global IP will be used, even if the destination is different. (This behaviour is desireable for certain fixups, e.g. so that a remote host can form an ftp data connection back to the same IP: ftp to a different IP is blocked by some firewalls.) As long as there continue to be active flows associated with the internal host, the same global IP will be used. When the last flow associated with the internal host finishes, the association between that internal host and that global IP will be removed. When the internal host next tries to go out after that, it will be assigned whatever the next available global IP is.

Note: in my experience, the PIX tends to assign global IPs as "first unused on the list", not at random and not circular. This is partly due to the definition of the effect of having multiple global pools associated with the NAT policy.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.