12-03-2014 12:29 PM
I believe I know the answer after looking around.
We have NATs that work fine when it is 1to1.
But what about 1 External IP that represents many Internal Hosts? We have multiple websites that when you do a lookup in DNS, they all point to a singular public facing IP. That public facing IP is represented by our ISA.
External Internal
mysite.org - xxx.xxx.67.18 > 192.168.1.20
mysite1.org - xxx.xxx.67.18 > 192.168.1.21
mysite2.org - xxx.xxx.67.18 > 192.168.1.22
Could this be done by changing addresses (Objects > Addresses) to use FQDN instead of IP?
So the thought there would be:
2 New Objects
------------------
Name: mysite.org (outside) - FQDN: mysite.org
Name: mysite.org (inside) - IP Address: 199.168.1.20
NAT Policy
-----------------
Src: untrust
Dst: untrust
Src Addr: Any
Src Addr: mysite.org (outside)
Dst Addr Translation: mysite.org (inside)
Security Policy
-------------------
Src: Any
Dst: mysite.org (outside)
Thoughts?
12-03-2014 12:52 PM
Hello greeng,
The above mentioned setup will work fine if you are running internal servers on different port. For an example:
External Internal
mysite.org - xxx.xxx.67.18 Port-80 > 192.168.1.20 -port-80
mysite1.org - xxx.xxx.67.18 port-8080 > 192.168.1.21 -port-8080
mysite2.org - xxx.xxx.67.18 port-443 > 192.168.1.22 port 443
NAT/security policy should be configures as mentioned below:
Name: mysite.org (outside) - FQDN: mysite.org
Name: mysite.org (inside) - IP Address: 199.168.1.20
NAT Policy
-----------------
Src: untrust
Dst: untrust
Src Addr: Any
Service: http/https or custom service
Destination Addr: mysite.org (outside)
Dst Addr Translation: mysite.org (inside)/192.168.1.21/192.168.1.22
Security Policy
-------------------
Src: Any
Dst: mysite.org (inside)
Hope this helps.
Thanks
12-03-2014 01:09 PM
Hi greeng,
The mentioned setup will work if you are running internal server with different private IP address. Please find the below example for the same.
External Internal
mysite.org - xxx.xxx.67.18 Port-2000 > 192.168.1.20 -port-80
mysite1.org - xxx.xxx.67.18 port-2001 > 192.168.1.21 -port-80
mysite2.org - xxx.xxx.67.18 port-2002 > 192.168.1.22 port 80
NAT/security policy should be configures as mentioned below:
Name: mysite.org (outside) - FQDN: mysite.org
Name: mysite.org (inside) - IP Address: 192.168.1.20
NAT Policy
-----------------
Src: untrust
Dst: untrust
Src Addr: Any
Services : External Port ( Ex : 2000, 2001, 2002)
Destination Addr: mysite.org (outside)
Dst Addr Translation: mysite.org (inside)
Dst port : 80
Security Policy
-------------------
Src: untrust
Dst: trust
Dst addr : mysite.org (outside)
Regards,
Sarath
12-03-2014 01:44 PM
You are welcome. Let us know how it goes :smileygrin:
Thanks
12-11-2014 07:14 AM
I agree with Hulk.
The only way you can do a "1 to many" NAT is via PAT. You must set up separate ports for each connection.
12-11-2014 11:40 AM
This video tutorial will help you with the DNAT configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
