Source IP address should be NAT'ed Address

Unanswered Question
Sep 11th, 2008
User Badges:

Our exchange folks are moving to 2007. They are trying to put up new edge servers and have asked for outside addresses for the edge servers. Problem is that they want to source IP to be the same address as the NAT. Below is an example of the NAT. What commands do I need to add for this to happen? Today when these edge servers go outside they look to be coming from the outside interface of the ASA.


static (inside,outside) 209.56.118.40 10.16.2.40 netmask 255.255.255.255


I want them to look like they are coming from 209.56.118.40


Thanks


-Jason


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Thu, 09/11/2008 - 07:13
User Badges:
  • Silver, 250 points or more

Not too hard.


Add an additional static nat entry and reverse it.


static (outside,inside) 10.16.2.40 209.56.118.40 netmask 255.255.255.255


jsecaur Thu, 09/11/2008 - 08:08
User Badges:

Thanks for the information. Is this configuration mandatory. In other words, if I do not add this NAT, will I look like the outside address of the FW?


Also do you know of any good resources to test this? I am looking for something that is not using port 80.

jjohnston1127 Thu, 09/11/2008 - 09:41
User Badges:
  • Silver, 250 points or more

Yes, the command "global (outside) interface" uses the outside address of the firewall as the port translation address so all inbound users that go out to the internet will appear as the outside address of the firewall.


Doing this both with the inside,outside and outside,inside static mapping will make traffic inbound hit that internal server and also appear to the internet as the same IP address it came in on.


If you want to test it, go ahead, but it is not really necessary in my opinion. I have done this many times with no problems.


Actions

This Discussion