Natted and Physical IP access

Unanswered Question
Mar 4th, 2009
User Badges:

Hi,


I am using ASA 5580 with software Version 8.1(2). Could it be possible to access the NATTED IP address and also the physical IP address at the same time from the host.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
santoshm_75 Mon, 03/02/2009 - 08:20
User Badges:

Hi,


My requirement is different then what you have mentioned. In the configuration what you have mentioned if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible?


If possible then send some write up and also any cisco site reference.


Regards,



JORGE RODRIGUEZ Fri, 03/06/2009 - 05:26
User Badges:
  • Green, 3000 points or more

if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible


Santosh,


Im not quite sure I understand your requirements which it seemed to me from your initial post a hairpining requirement. I would like to know what application prompts you to have this type of settings, perhaps if you could provide in detail what this requiremen entails in terms of TCP/UDP services I could provide better answer.


Regards

JORGE RODRIGUEZ Wed, 03/04/2009 - 10:15
User Badges:
  • Green, 3000 points or more

Sure you can, depending what is your scenarion , but generally you can use same-security-traffic permit intra-interface command in conjuction with specific nat statement , and connect to the NAted address from where you are sourcing the local host . This is also known as hairpining .


Regards


santoshm_75 Thu, 03/05/2009 - 06:16
User Badges:

Hi,


I have all the intra interfaces with differenet level of secuity, then also can it be possible.


If possible Please let me know some write up or any cisco write up details for reference.


Regards,

JORGE RODRIGUEZ Thu, 03/05/2009 - 08:54
User Badges:
  • Green, 3000 points or more

Typical scenario


say :

inside host 20.20.20.1/24 - Its public IP 100.100.100.1 for outside


Typically you would have one-to-one NAT


static (inside/outside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255


now you want local hosts in the 20.20.20.0/24 subnet access 100.100.100.1 which is maped to 20.20.20.1


same-security-traffic permit intra-interface

static (inside,inside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255


and allow inbound rules for 100.100.100.1


so inside hosts under 20.20.20.0/24 can access 20.20.20.1 localy as well as 100.100.100.1 from inside interface


Here is some reference on hairpining

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2


Regards


PLS rate any helpful posts if it helps


Jon Marshall Fri, 03/06/2009 - 04:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Santosh


Just to clarify what you are asking.


Server = real IP address = 192.168.5.1

Natted IP address = 172.16.5.1


Are you asking if from a client host you can connect to both 172.16.5.1 and 192.168.5.1 on the same port ?


If so no you can't. It's one or the other.


Jon

santoshm_75 Fri, 03/06/2009 - 05:27
User Badges:

Hi,


Find the details of requirement.


Inside IP : 172.16.0.0/24

Host: 172.16.1.10


Nannted IP: 192.168.1.10


Outside IP: 192.168.1.0/24

Host: 192.168.1.20


now my requirement is from host 192.168.1.20 can I access 192.168.1.10 and also 172.16.1.10.


Hi Jon: Its the customers requirement for SAP application and also for your reference this is working in checkpoint now. We are replacing ASA-5580 in the place of checkpoint.



Could it possible?

Regards,


Jon Marshall Fri, 03/06/2009 - 05:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Santosh


If you are trying to access the 172.16.1.10 and 192.168.1.10 from outside using the same application port number you cannot do this on the ASA. I understand you can do this with Checkpoint but NAT functionality differs between firewalls.


Jon

Actions

This Discussion