ASA 5520 - static from several Public IP's to single inside IP

Unanswered Question
Mar 11th, 2009


I am about to migrate a customer from a hosted checkpoint firewall to an active/passive ASA 5520 firewall.

I have got some prints from the configuration of the checkpoint firewall, which show that 4 public IP's are forwardet to the same IP on the inside (don't ask me why!!).

As far as i concern this is not possible on the ASA. I could solve the issue by using PAT, and only forwarding specific services, however my issue is, that I need UDP/53 (DNS) forwardet on 3 of the public IP's to the same server on the inside (again, I know this sounds crazy, but this is how it is set up on the current checkpoint firewall)..

Any help is greatly appreciated !!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
adamclarkuk_2 Wed, 03/11/2009 - 08:20


This should be possible with a static NAT with an ACL

static (inside,outside) access-list

use the source in the ACL as the IP to NAT to and the destination as the IP's that are allowed to be NAT'd.

rasmusan1 Wed, 03/11/2009 - 12:03


I am not sure I understand. I wan't multiple outside IP's mapped to a single inside IP.

could you please show me an example ?

thanks in advance...

Jon Marshall Wed, 03/11/2009 - 12:55


"As far as i concern this is not possible on the ASA"

You are correct. Unless you are mapping to different ports as you mention it is not possible.


cisco24x7 Wed, 03/11/2009 - 15:59

This is definitely possible. I do not have a Pix on hand to test but it is doable. Just open a TAC case with Cisco and have TAC do it for you.

When you have complex NAT like this (even though I don't think it is a big deal with Checkpoint), I personally think it is a big mistake to go from Checkpoint to ASA in this situation. Furthermore, you also need to take into consideration that with Checkpoint firewalls, secondary IP addresses behaves just like Cisco IOS routers whereas this feature is not available in Cisco ASA platforms (you have to use 802.1q for this). Remember you have to support this down the road as well which may not be very pleasant.

I always laugh when I read posts like yours about converting from Checkpoint to ASA. With the NAT scenario you described above, a junior person with a couple months of experiences on Checkpoint can do it in less than a minutes without the risk of taking down the network.

Until Cisco can come up with a User Interface (UI) that can make configuring complex NAT much easier and more user-friendly, I would stay away from Cisco ASA/Pix/FWSM with complex NAT scenarios.

my 2c.

Jon Marshall Wed, 03/11/2009 - 18:03


I agree with you on the complexity of configuring cisco NAT :-)

You say it's doable but i must admit i thought you couldn't do this if the source IP's were always the same ie. any because they are coming from the Internet and the ports were the same.

I don't have a pix to test with either unfortunately but do you remember the gist of how it is done on a pix. I'd be very interested.


rasmusan1 Wed, 03/11/2009 - 23:55

thanks for ytour feedback, however I would still very much like a configuration example - this would be very helpful

rasmusan1 Thu, 03/12/2009 - 03:58

well, I created a TAC and got the solution :)

Here is what TAC wrote:

To do the design you want, you have to create 4 identical access-lists but with different names, i.e.:

Access-list ACL_1 permit ip host 10.x.x.2 any

Access-list ACL_2 permit ip host 10.x.x.2 any

Access-list ACL_3 permit ip host 10.x.x.2 any

Access-list ACL_4 permit ip host 10.x.x.2 any

Then you create a static statement for every access-list:

Static(dmz,outside) x.x.x.1 access-list ACL_1

Static(dmz,outside) x.x.x.2 access-list ACL_2

Static(dmz,outside) x.x.x.3 access-list ACL_3

Static(dmz,outside) x.x.x.4 access-list ACL_4

Also, you can refer to the following link

Hope this is helpful to others...

Gerard Roy Fri, 03/13/2009 - 15:27

How can this work with Dual ISP's off of 2 Outside interfaces? I have Outside0 and Outside1 and I need to static NAT into a server on the Inside so I can have access from either ISP. I understand the ASA will not handle the routing correctly because it does not have the capability of doing a route-map like a router can do and will always send the traffic out the default route.

9898nishit Sat, 04/04/2009 - 06:50


I am facing same problem. I am trying to replace cyberom firewall with ASA 5520.

In cyberom firewall traffic coming from outside on public ip address on two different public ip address get translated to one private ip address on the same port. But when i am trying to configure the same in ASA i am unable to do so.

I understand from solution provided by you that ACL_1, ACL_2, ACL_3, ACL_4 has source ip of 10.x.x.2 and destination any. Nating done from dmz to outside for different public ip address.

But in my case traffic will come from internet with source any and destination will be two different public ip address.For these two public ip add i need to nat with single private ip.

Could u pl let me know how do i configure.



rasmusan1 Sat, 04/04/2009 - 07:21

Hello Nishith

The ACL's just specify the private IP on the inside - it does not specify who can access them - that you have to control on your interface ACL's as normal.

So you just create 2 ACL's, like in my solution post, with your private IP in both ACL's, and then create 2 static's - one for each public IP - using an ACL for each static.

hope this answer your question...


This Discussion