NATing two public IPs to one private IP: HOWTO?

Unanswered Question
Aug 6th, 2008


I have an email server hosting two email domains e.g. and each resolved to two different public IPs (MX records etc)

I have a Cisco 5510 ASA firewall at my perimter and now I have the challenge of mapping the two public IPs to my mail server on the internal side.

How can I over come this without having to give the server two separate private IPs for each email domain???



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


mmmmmm I'm pretty sure you cannot do this with a static NAT statements, they would overlap.....but you could try using an alias and see if that would work:-

static (inside,outside) w.w.w.w x.x.x.x netmask

alias (inside) y.y.y.y z.z.z.z

w.w.w.w = 1st external IP address

x.x.x.x = Internal Server IP

y.y.y.y = Internal Server IP

z.z.z.z = 2ns external IP address#

This is a guess - you will have to test, and it may not work.


Marwan ALshawi Wed, 08/06/2008 - 07:43

lets say ur internal server is in the inside network with ip

and u have two public ips and

now we gonna map any connection to these ips to that server

static (inside, outisde) netmask

static (inside, outisde) netmask

if u wanna map only smtp port for example


static (inside, outisde)tcp 25 25 netmask

static (inside, outisde)tcp 25 25 netmask

in this case only connections for tcp 25 will be maped while the first exampel everything will be maped

and if u wanna make for more ports like tcp 25 and other oorts do the same command like for each port

BUT DONT FORGET to make access list that permit traffic coming to ur public ip address and apply it to the outside interface

for the first example here do the forllowing acl

access-list 100 permit ip any host

access-list 100 permit ip any host

access-group 100 in interface outside

for the second example we gonna allow only spesific port or ports

access-list 100 permit tcp any host eq 25

access-list 100 permit tcp any host eq 25

access-group 100 in interface outside

good luck

please, if helpful Rate

edwardwaithaka Wed, 08/06/2008 - 08:03

Hi marwanshawi,

I dont think this can happen. I get the error;

ERROR: duplicate of existing static

We tried policy nat but that also doesnt work.

JORGE RODRIGUEZ Wed, 08/06/2008 - 08:17

The policy nat is also an alternative, say rdp and http example


Public IPs

Private IP

static (inside,outside) access-list policy_nat_http1

static (inside,outside) access-list policy_nat_rdp1

access-list policy_nat_http1 extended permit ip host any

access-list policy_nat_rdp1 extended permit ip host any

access-list outside_access_in extended permit tcp any host eq 80 log

access-list outside_access_in extended permit tcp any host eq 3389 log

access-group outside_access_in in interface outside


for your smtp

replace the acl PNAT name as something like:

policy_nat_smtp1, policy_nat_smpt2, and the respective TCP port 25 in the inbound acl, it should work.. make sure the public Ips are not currently being used by any other system otherwise you will get errors.

Marwan ALshawi Thu, 08/07/2008 - 02:35

ok lets do a work around

lets say u ur internal mail server ip address is

make static nat for this ip to one of the public IPs

then go to ur server give it a secondary IP lets say

and then mak another sattic nat maping the second public ip address to that secondary IP

this case will for sure

good lcuk

and let know

JORGE RODRIGUEZ Thu, 08/07/2008 - 07:25

Marwan & Dennis solution is effective as well and probably the easiest way to go around it.


This Discussion