Conditional Nat on an ASA

Unanswered Question
Dec 27th, 2007

A practical dillemma led me here:

A customer has several remote sites wich each have a pc that connects to a virtual IP in the HQ lan, which in term is natted to a real HQ server IP on the asa. Now the need has risen to nat a specific group of remote sites to a diferent real HQ server IP...

My current work-arround is a hardware loadbalancer, but imho there should be a nice/clean cisco (nat)

For a viasual clarification, please see my attached visio.

Many thanks for any hints or suggestions you might have,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Collin Clark Thu, 12/27/2007 - 12:40


Can the remote offices that need to point to the new server, point to a new NAT address or do they have to point to

bart.mollemans Thu, 12/27/2007 - 23:24

This was my first question too, but the devices at the remote sites are in fact a type of apliances that require (costly) 3rd party intervention if we need to change a system setting plus there are over 600 remote sites... so no ...

srue Fri, 12/28/2007 - 07:23

create object groups to more easily manage which remote sites need the server nat'ed to which IP - then you can use the same object groups to configure your standard interface acl's.

In this example, is the internal IP of the server. the 31.x.x.x addresses are the nat'ed IP's.

access-list nat1_acl permit ip host object-group remote_sites_A

access-list nat2_acl permit ip host object-group remote_sites_B

static (inside,outside) access-list nat1_acl

static (inside,outside) access-list nat2_acl

bart.mollemans Fri, 12/28/2007 - 07:33

Thanx for the reply but this does not tackle the issue at hand.

I have 2 internal servers (a,b) who need to be reached on a virtual ip c.

If Ip address group X connecting to address c, the natting should lead them to internal server a. Addtionally when addres group y connects to address c the asa natting should lead them to internal server b...

srue Fri, 12/28/2007 - 07:43

my bad.

how about:

access-list nat1_acl permit ip host 192.168.1.a object-group X

access-list nat2_acl permit ip host 192.168.1.b object-group Y

static (inside,outside) access-list nat1_acl

static (inside,outside) access-list nat2_acl

bart.mollemans Fri, 12/28/2007 - 18:25

perhaps idd... I was just staring myself blind at the asdm gui. In commandline this makes perfect sense. So in effect we have 2 static policy Nat's with for the Original source 192.168.1.a(192.168.1.b for 2nd packet), original destination object group siteA(siteB for 2nd packet). And on the outside interface a translated address of thx I'll try and let you know Srue.

bart.mollemans Fri, 12/28/2007 - 17:56


Indeed, that was my 3rd prefered solution.

My seccond prefered is the one I have setup now; I had a spare F5 LB lying around and put it to use :)

The most prefered one is of course to have it all cleanly configured in one device; The asa. Cisco has got to have a way to do this...

Checkpoint an juniper all can do this type of packet-crafting, perhaps I'm just overlooking something obvious.


This Discussion