I'm replacing a Symantec (software) firewall with an ASA5510. One of the features of the Symantec is that it allows a single external interface to act as multiple IP addresses, and each of the "virtual" IP addresses to be redirected to different internal hosts.
The multiple external IP addresses are mapped to different (publicly accessible) DNS hostnames, such as "ftp.mydomain.com" and "www.mydomain.com", so it's important that we maintain the ability to support multiple IP addressses on our external interface.
How can I do this with the 5510 ?
When you "define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.", x and y designate both the same host:
- x is the outside address of the host
- y is the inside address of the host
So in your access-list, you don't have to add a rule between x and y (since both designate the same host...) but you have to add a rule between outside hosts and the host x:
if we continue with the same example, it would be something like that:
ip address 18.104.22.168 255.255.255.0
static (INT_INSIDE,INT_OUTSIDE) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 tcp 25
static (INT_INSIDE,INT_OUTSIDE) 188.8.131.52 184.108.40.206 netmask 255.255.255.255
static (INT_INSIDE,INT_OUTSIDE) 220.127.116.11 18.104.22.168 netmask 255.255.255.255
access-list INT_OUTSIDE_access_in extended permit ip any host 22.214.171.124 eq 25
access-group INT_OUTSIDE_access_in in interface INT_OUTSIDE
With this example, every host on the Outside can access your SMTP server which has:
-one outside address: 126.96.36.199
-one inside address: 188.8.131.52
Hope it helps