Hi again,

As I expected, it just cut all connections, but it did not solve anything.

Regarding into the logs, nothing is logged for the IP I set when I try to SSH on it (that's the port I wanna join from outside).

As a precision, the firewall is working in routed mode.

Can you post the firewall config togther with the details of the IP address you are trying to NAT and to what address you are Natting.

Also for future reference instead of just "clear xlate" which will indeed cut all connections, you can specify the exact xlate you want to clear.

Jon

I won't post my config here because :

     -it is huge

     -I will have to mask a couple of things and that's boring

     -this won't help anyone (would my config give a clue on such a generic question ?!!!)

Let's say I have the IP block 1.2.3.0/24. My outside interface is 1.2.3.1.

I wanna use 1.2.3.2 for my DMZ server to respond (on the outside interface using NAT between DMZ and outside).

If you need numbers, just let's say my DMZ is 192.168.1.0/24 and that my server is 192.168.1.1

As I said I already successfully had my DMZ server serving using interface IP, but when I translate the rules for the new IP, this just give nothing (no service and no log).

My question is so simple :

how do you configure that behavior?

Another way to explain what I wanna do :

How to handle multiple IP addresses on a single outside interface (so more that 1 server can respond to a given port)?

I won't post my config here because :

     -it is huge

     -I will have to mask a couple of things and that's boring

     -this won't help anyone (would my config give a clue on such a generic question ?!!!)

Hmmm strange, you come to this forum asking for help but seem to know exactly what should and shouldn't be provided in order to help you. Perhaps you should be answering questions and not asking them.

outside IP = 1.1.1.10  (this is not the outside interface ip)

dmz IP = 192.168.5.10

static (dmz,outside) 1.1.1.10 192.168.5.10 netmask 255.255.255.255

access-list outside_in permit tcp any host 1.1.1.10 eq 80

1) the 1.1.1.10 address must be routed by your ISP to the outside interface of your firewall

2) you must have proxyarp enabled on the outside interface of your firewall for this to work. Should be enabled by default unless you have specifically disabled it (which is why i asked for your config)

I'm assuming you removed the old static translation using your outside interface address before entering the new one ?

Jon

Jon,

Thank you very much.

That was obvious : in order to get the ASA answer for a request that is not destinated to it, enable proxy ARP on the desired interface.

So it's now working as expected.

You will notice you did not need my conf at all

So to answer my own question :

     -have a valid NAT rule

     -have a valid access rule

     -enable ARP proxy on the outside interface so the device will respond to ARP requests not destinated to it

I did not enabled this feature because it is an "interface wide" parameter, without the possibility to have an override for explicit parameters(as far as I know, see my last question). I thought the ASA would do the "magic" (I hate that, I'm a supporter of "explicit is good") for me, as it like to do so in many situations (like responding to ping on the outside when enabling SSL VPN among others, if you guys have solutions or explanation on that...)

Just to go further in the discussion:

Now that I have ARP proxy on the oustide interface, this prevents me from having another device "next to" the firewall on the same subnet(as opposed to "behind").True?

Thanks again

That's terrific

I'm not using that scenario but I could one day or another.

Thank you Jon again.