Hi Andrew,

Thank you for prompt response.

Yes, I need to use the same X-NAT address.

Port forwarding is not the case because I need several overlapping ports in different IP address.

I also believed policy NAT was the best way, then I found this link.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1116647

It seems ASA cannot do that.

I'm just wondering if it could be done in another way.

Any thoughts?

Thanks

Thoughts are - good link, but not conclusive to your requirement. Can you expand more on what you want to do (unsing dummy IP's to help) ??

Hi Andrew,

What I must do is for example:

200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)

190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)

When packets come from 200.1.1.1 ASA should redirect to inside IP 10.1.1.1.

When packets come from 190.1.1.1 ASA should redirect to inside IP 10.1.1.2.

That is, packets are forwarded to inside network based on source Internet address.

This is the way checkpoint works today and I need to reproduce the same configuration at ASA.

Hope is clear now...

Thank you

Marcelo

I must admit at first glance this is very interesting to solve - however I have a question, what are server 10.1.1.1 and 10.1.1.2 and what is the requirement for seperate source IP's to connect to seperate internal hosts?

Hi Andrew,

Thank you for your interest.

Well, this is a migration from a CheckPoint firewall to an ASA, as I said before. I confess that I don't understand why this was made this way in CheckPoint. The point here is that I am supposed to replicate checkpoint configuration to this new ASA. :)

My customer doesn't care how this will be done. His only wish is that after exchange checkpoint to ASA he could use the network the same way as before. :(

Regarding your question, servers 10.1.1.1 and 10.1.1.2 are just an example. In real configuration there is dozens of IPs in this situation.

The main use for this is for example Parnter Entreprise ABC must access server ip 10.1.1.1.

Parnter Entreprise DEF must access server ip 10.1.1.2

.

.

.

Parnter Entreprise XYZ must access server ip 10.1.1.99

Each sever has specific services running on it. For example 10.1.1.1 has FTP and HTTP. Server 10.1.1.10 has WTS, FTP, SMTP an so on.

Can I use a different static translation for each server? Technically yes, there is a lot of real IPs available. But the concern is contact every Partner Enterprise and ask them to change their configuration too. Too painfull and too prolonged.

Again, I don't know why this was made this way at first. I'm just trying to figure out a manner to do the same at ASA.

Thank you

Regards

Marcelo

I'll be honest - I am not 100% sure about this, but will do some digging and take it into the lab.

In the mean time perhaps another netpro has the answer, until then I will find out.

Hi Andrew.

Thanks for your time.

I also opened a TAC. Any update I'll let you know.