To test your scenario I set up the following lab:
The 10.0.0.0/24 network is your -RangeOfIPs-
When traffic comes from 10.0.0.0/24
it will be NATed to 192.168.0.21
.
Traffic sourcing from 192.168.0.114
will be NATed to 10.1.1.21
.
Configuration:
R3(config)#int f0/0
R3(config-if)#ip nat outside
R3(config-if)#int f0/1
R3(config-if)#ip nat inside
The above commands define the interfaces as outside
and inside
.
R3(config)#ip nat inside source static 192.168.0.114 10.1.1.21
This command translates the inside local
address of 192.168.0.114
to an inside global
address of 10.1.1.21
.
R3(config)#access-list 1 permit 10.0.0.0 0.0.0.255
This access-list will define which hosts on the outside
that will get NATed.
R3(config)#ip nat pool NAT_POOL 192.168.0.21 192.168.0.21 netmask 255.255.255.0
We create a NAT pool consisting of a single address.
R3(config)#ip nat outside source list 1 pool NAT_POOL add-route
Then we configure so that hosts matching access-list 1
will get NATed to 192.168.0.21
.
It is important to configure add-route here or to add a static route because when doing inside to outside
NAT, NAT takes place before routing in the order of operations. That means that R3 must have a route for 10.1.1.21.
R3 now has the following NAT table:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.0.21 10.0.0.1
--- 10.1.1.21 192.168.0.114 --- ---
Note that R4 has configured with an IP and ip routing
turned off to emulate a host. Debugging of ICMP on R1 is enabled and debugging of ip nat on R3 is also enabled.
R1#debug ip icmp
ICMP packet debugging is on
R3#debug ip nat
IP NAT debugging is on
A ping is then issued from R1:
R1#ping 10.1.1.21 so f0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.21, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/104 ms
R1#
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
Debug and NAT table from R3:
NAT*: s=10.0.0.1->192.168.0.21, d=10.1.1.21 [15]
NAT*: s=192.168.0.21, d=10.1.1.21->192.168.0.114 [15
NAT: s=192.168.0.114->10.1.1.21, d=192.168.0.21 [15]
NAT: s=10.1.1.21, d=192.168.0.21->10.0.0.1 [15]
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.0.21 10.0.0.1
icmp 10.1.1.21:3 192.168.0.114:3 192.168.0.21:3 10.0.0.1:3
--- 10.1.1.21 192.168.0.114 --- ---
I think that this is the kind of configuration you are looking for.
However, note that there is a caveat because there is no overload (PAT)
available for outside to inside
translation. That means that as soon as one of your hosts communicate with 192.168.0.114
, there will be no free IP's in the pool. What you can do is to increase the pool size
so that you reserve maybe 10 IP's that are only used for NAT
.
From a support forum static-pat-pix
Note: You cannot use the same real or mapped address in multiple
static commands between the same two interfaces. Do not use a mapped
address in the static command that is also defined in a global command
for the same mapped interface.
Thus it seems we have two options:
NAT on the router; not recommended as it would be difficult
to get through the PIX.
Change the IP address (private) on the host, and have a PIX rule for each private IP address.
As you did not give any real IP addresses, I will create a example.
On the hosts, use 10.0.0.1-10.0.0.15/28.
On the PIX, NAT to 196.0.0.1 - 196.0.0.1
global (outside) 1 196.0.0.1-196.0.0.15 netmask 255.255.255.240
nat (inside) 1 10.0.0.0 255.255.255.240 0 0
Or you can NAT, one by one, with:
static (inside,outside) 10.0.0.1 196.0.0.1 netmask 255.255.255.255
static (inside,outside) 10.0.0.2 196.0.0.2 netmask 255.255.255.255
etc.
Now, every time you need to change your external IP address, just change the internal source IP address.
Best Answer
I'm not sure this will work. I don't have a lab to try it, but it works great on paper ;)
In this example, host will connect to 40.0.0.1, which is a natted address.