Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
2
Replies

ASA5505 - two public IP NAT to one local IP

support
Level 1
Level 1

‎10-17-2007 07:15 PM - edited ‎03-11-2019 04:26 AM

Hi,

I'm trying to use PAT to use two public IP and map to one local IP, can anyone please help to show/correct me the access-list and nat command ?

Two public IP map to one internal IP:

access-list outside_access_in extended permit tcp any host 202.100.200.55 eq 3389

access-list outside_access_in extended permit tcp any host 202.100.200.59 eq 3389

access-list inside_nat_static_1 extended permit tcp host 192.168.0.208 eq 3389 host 202.100.200.59

access-list inside_nat_static extended permit tcp host 192.168.0.208 eq 3389 host 202.100.200.55

static (inside,outside) tcp 202.100.200.55 3389 access-list inside_nat_static

static (inside,outside) tcp 202.100.200.59 3389 access-list inside_nat_static_1

my existing config allow all internal clients use dynamic nat for outgoing:

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

My config doesn't quite working as expected, sometimes I just can't connect using both IPs.

Thanks

EL

Labels:
0 Helpful
2 Replies 2

saro
Level 1
Level 1

‎10-19-2007 03:04 PM

EL,

If i understand you right, you want people to be able to connect to 2 public IPs via a port (say port 25 for this example) and you want both to forward to 1 internal server. Here is what i have done in the past and it seems to work for me:

access-list smtp1 remark MailServer1

access-list smtp1 extended permit tcp host 10.1.1.25 eq smtp any

access-list smtp2 remark MailServer2

access-list smtp2 extended permit tcp host 10.1.1.25 eq smtp any

static (Inside,Outside) tcp 1.2.3.4 smtp access-list smtp1

static (Inside,Outside) tcp 2.3.4.5 smtp access-list smtp2

The above maps the both the public IPs 1.2.3.4 and 2.3.4.5 to 10.1.1.25 on port 25. It is a bit confusing in the documentation. Let me know if this works for you. I know it seems like a strange config, but the problem is the ASA does not like to have 2 globals to 1 local unless you do it with 2 separate ACLs that point to the same local IP :) It's like a workaround type of thing.

Saro

0 Helpful

support
Level 1
Level 1
In response to saro

‎10-23-2007 08:44 PM

Hi Saro,

My config is working fine now.

I may have misconfigured the static NAT before.

Thanks for your help anyway !

EL

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card