ASA - Translate Destination IP only?

Answered Question
May 20th, 2009
User Badges:

Hello All,

I have a public IP and port (1.1.1.1:80) that is translated to a private IP:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255


The ACL applied inbound on the outside interface permits any hosts to 1.1.1.1:80.


My question is can I policy translate the destination IP:port from outside clients that match specified subnets? (ie: hosts coming from 2.2.2.0/8 to 1.1.1.1:80 are translated to 1.1.1.2:81) ?

(and any necessary static and ACL additions would be performed).


Thanks,

Christopher

Correct Answer by BrinksArgentina about 7 years 11 months ago

After reading, trying and remembering, the answer is:

NO, you can't map a ip:port to two different ip:port destinations


If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
darkbeatzz Thu, 05/21/2009 - 00:59
User Badges:

I dont understand why you would want to do this if both public IPs are in the same range?


if they are then just have a static nat to 1.1.1.2:81 and limit access to it with an acl?

cpalmerloopt Fri, 05/22/2009 - 15:12
User Badges:

Basically, the public IP is advertised in DNS, and could be hard-coded in an application. However, depending on the client source IP, they may need to be serviced by a different backend server.


BrinksArgentina Thu, 05/21/2009 - 10:01
User Badges:

I don't understand.

Do you need that clients from 2.2.2.0 be mapped to 192.168.1.1 and clients from 3.3.3.0 mapped to 192.168.1.22 for example?

cpalmerloopt Thu, 05/21/2009 - 10:10
User Badges:

Yes, that's basically it. Both sets of clients would attempt to connect to 1.1.1.1:80 (for example), but their true destination IP:port would be decided based on their source IP. Does that help clarify?


BrinksArgentina Thu, 05/21/2009 - 10:12
User Badges:

I am preparing the lab, if the phone doesn't ring, I will tell you my results in a few hours.

Correct Answer
BrinksArgentina Thu, 05/21/2009 - 11:23
User Badges:

After reading, trying and remembering, the answer is:

NO, you can't map a ip:port to two different ip:port destinations


If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.

cpalmerloopt Thu, 05/21/2009 - 15:13
User Badges:

Thanks. I did some basic reading/trying and couldn't see it happening, but it was an odd case and you never know...


BrinksArgentina Thu, 05/21/2009 - 15:18
User Badges:

This kind of policy nat and balanced internet connection are two of the most important ASA missing features.


Thanks 4 rating

darkbeatzz Fri, 05/22/2009 - 00:19
User Badges:

the solution to your problem is to use checkpoint :-)

cpalmerloopt Fri, 05/22/2009 - 08:06
User Badges:

Oh OK :)

We could perform this stuff post-ASA (ie: on an F5 BIG-IP), but that equipment isn't in place at the moment. I was hoping that the ASA a couple more features than the thousands it already possessed!

Actions

This Discussion