Saturday, June 5, 2021

NATing same IP public address for different service (port forwarding)-Destination NAT

05/06/2021

Author: Samer R. Saleem

Subject: NATing per service (port forwarding)

 

As you might see on another posts, Network requirements change from time to time, which will impose new changes each time.

One of the new scenarios that came into my table was allowing a remote sever to access three finger print devices that works with UDP service.

 

Of course, I need to make use of my public IP and not waste IP addresses, and sure, the obvious solution for this requirement would be the Network Address translation (NAT).

 

The following diagram represents the idea of the connection:


 So, our target is to translate the incoming connection according to the requested service:

or example:

if the connection was for the IP: X.X.X.X with UDP port 5500, the Firewall will translate the connection destination to 10.10.180.11


if the connection was for the IP: X.X.X.X with UDP port 5501, the Firewall will translate the connection destination to 10.10.180.12

 

Finally, if the connection was for the IP: X.X.X.X with UDP port 5502, the Firewall will translate the connection destination to 10.10.180.13

 

Login to firewall user interface
go to policies > NAT > add

to add a rule with the name of finger print device do the following:
source zone outside destination outside  (the first outside is the internet, the second one is Interface outside of the firewall)
destination IP is X.X.X.X  (which is a real public IP address that you will use to make port forwarding)
service must be (5500, 5501, 5502)  >>> (if not defined, you can define under objects tab). 

screenshot on how to do that:


 

 


here is how to configure and will use the first finger print device in my examples:

Source is outside > destination outside with port > 5500

destination address is the PUBLIC IP (X.X.X.X)

now, go to next tab (Translated Packet), which will take action after the packets translated and will redirect the traffic to internal IP address of the Finger print device1

fill the details as below, and then press OK



 once you done this for device1 you can repeat the process for the other devices.


then allow security access rule
go to security policy
add a new rule
source zone outside, address any to inside zone destination is 95.159.105.100 service ports are 5500,5501,5502 > action is allow



 


then commit configs

 

Hope this was useful!

 

Samer R. Saleem

 



-
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...