Can ASA do a many-to-one translation?

thomasdzubin · ‎09-08-2007

I have two external public IPs that used to be mapped one-to-one to two internal private IPs. Now, I want to get rid of one of my internal servers but I want to continue to use my two public IPs but both going to the same server.

Can I do something like this:

static (outside,inside) xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (outside,inside) yyy.yyy.yyy.yyy 110 192.168.7.7 110

So incoming SMTP traffic to the "x" public IP goes to the same server as POP3 traffic does when it is sent to the "y" IP.

Also, since the SMTP server is also going to be sending out email, will I need another "static (inside,outside)" translation for outgoing traffic too or will the previous translation do the outgoing traffic also?

for example, do I need a:

static (inside,outside) 192.168.7.7 25 xxx.xxx.xxx.xxx 25

(or have I got my IPs reversed?)

a.alekseev · ‎09-09-2007

Yes, you can

static (outside,inside) tcp xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (outside,inside) tcp yyy.yyy.yyy.yyy 110 192.168.7.7 110

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043281

thomasdzubin · ‎09-10-2007

So you know if I have to put in a new separate "static (inside,outside)" entry to make sure outgoing email port 25 SMTP traffic appears to come from the "xxx.xxx.xxx.xxx" address or is that taken care of already by the "static (outside,inside)" line?

The outgoing email will be traffic initiated by the server, not part of any existing connection that may be incoming and already in the NAT table.

a.alekseev · ‎09-10-2007

oops... sorry

must be

static (inside, outside) tcp xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (inside,outside) tcp yyy.yyy.yyy.yyy 110 192.168.7.7 110

access-list OUTSIDE-IN permit tcp any host yyy.yyy.yyy.yyy eq 110

access-list OUTSIDE-IN permit tcp any host xxx.xxx.xxx.xxx eq 25

access-group OUTSIDE-IN in int outside