10-17-2007 07:15 PM - edited 03-11-2019 04:26 AM
Hi,
I'm trying to use PAT to use two public IP and map to one local IP, can anyone please help to show/correct me the access-list and nat command ?
Two public IP map to one internal IP:
access-list outside_access_in extended permit tcp any host 202.100.200.55 eq 3389
access-list outside_access_in extended permit tcp any host 202.100.200.59 eq 3389
access-list inside_nat_static_1 extended permit tcp host 192.168.0.208 eq 3389 host 202.100.200.59
access-list inside_nat_static extended permit tcp host 192.168.0.208 eq 3389 host 202.100.200.55
static (inside,outside) tcp 202.100.200.55 3389 access-list inside_nat_static
static (inside,outside) tcp 202.100.200.59 3389 access-list inside_nat_static_1
my existing config allow all internal clients use dynamic nat for outgoing:
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
My config doesn't quite working as expected, sometimes I just can't connect using both IPs.
Thanks
EL
10-19-2007 03:04 PM
EL,
If i understand you right, you want people to be able to connect to 2 public IPs via a port (say port 25 for this example) and you want both to forward to 1 internal server. Here is what i have done in the past and it seems to work for me:
access-list smtp1 remark MailServer1
access-list smtp1 extended permit tcp host 10.1.1.25 eq smtp any
access-list smtp2 remark MailServer2
access-list smtp2 extended permit tcp host 10.1.1.25 eq smtp any
static (Inside,Outside) tcp 1.2.3.4 smtp access-list smtp1
static (Inside,Outside) tcp 2.3.4.5 smtp access-list smtp2
The above maps the both the public IPs 1.2.3.4 and 2.3.4.5 to 10.1.1.25 on port 25. It is a bit confusing in the documentation. Let me know if this works for you. I know it seems like a strange config, but the problem is the ASA does not like to have 2 globals to 1 local unless you do it with 2 separate ACLs that point to the same local IP :) It's like a workaround type of thing.
Saro
10-23-2007 08:44 PM
Hi Saro,
My config is working fine now.
I may have misconfigured the static NAT before.
Thanks for your help anyway !
EL
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: