Natting

Unanswered Question
Jul 29th, 2010
User Badges:

    HI


I want to configure two natting statment with my sinlge local IP for my mail Server. Is it possible to create another router with same local ip for another extenal IP. I am using ASA 5505.


Right now I have


static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255


static (inside,outside) yyy.yyy.yyy.yyy  192.168.12.49 netmask 255.255.255.255  ( I want to do like this)



Thanks

Amardeep Rana

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rahul Govindan Thu, 07/29/2010 - 05:01
User Badges:
  • Silver, 250 points or more

No. I think it will complain about duplicate entries to the first static when u try to enter the second static command.

Jitendriya Athavale Thu, 07/29/2010 - 05:18
User Badges:
  • Cisco Employee,

this will not be possible you can map ports if you have specific example

for example


static (inside,outside) tcp xxx.xxx.xxx.xxx 25 192.168.12.49 25 netmask 255.255.255.255
static (inside,outside) tcp yyy.yyy.yyy.yyy  22 192.168.12.49 22 netmask 255.255.255.255


but just curious, wouldnt your server complain of ip conflict in your internal network as 2 devices have the same ip

Amardeep Kumar Thu, 07/29/2010 - 05:25
User Badges:

HI


I have only one server with local ip of 192.168.12.49. But I want to create two nat route with this and I get the error of

duplicity..



Thanks

Amardeep Rana

Amardeep Kumar Thu, 07/29/2010 - 05:26
User Badges:

HI


Yes , You are right , this is giving me same error og duplcity.


So you mean , I am not able to map single local IP to my another two external IP.


Any Idea , I can do it..



Thanks

Amardeep Rana

Jitendriya Athavale Thu, 07/29/2010 - 05:30
User Badges:
  • Cisco Employee,

as i said the only option is static pat wherein you can map specific ports


the reason is simple when the server is sending a packet out it will not know which public ip to use


can you elaborate more on what service this host is running

whether the 2 ip's need to be translated on the same interface

why exactly do you need to translate it to 2 ip's unless the server is running 2 services

Amardeep Kumar Thu, 07/29/2010 - 05:38
User Badges:

HI


This is my mail server.And I want to put it up everytime. Some time what happens my primary ISP goes down so I have to roll over on Backup iSP. So I want to map the same server on two ISP external IP. So that server can be up everytime.



Thanks

Amardeep Rana

Nagaraja Thanthry Thu, 07/29/2010 - 05:47
User Badges:
  • Cisco Employee,

Hello,


Are both your ISP's connected to same outside interface? If yes, my earlier

post has the configuration example that will achieve what you are looking

for. If they are on different interface of the firewall, then you need not

have to worry about duplicate entries and just configure normal static NAT.


static (inside,ISP1) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255


static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255


The firewall will choose the static based on the outgoing interface.


Hope this helps.


Regards,


NT

Amardeep Kumar Fri, 07/30/2010 - 01:32
User Badges:

HI Nagaraja Thanthry,,


I think your answer worked for me and I was able to make two route. But As I created second route, My internet stop working.


static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255 , As I put this command, My first entry stop working, Internet was not working on the same server which IP I am using for two routes. To resolve the issue I have to remove both of the entry from ASA and map another IP to my mail server and after it start running. 192.168.12.49 server stop

running after my sesond static command.

I tried clear xlate but in vain.

Please suggest

Thanks

Nagaraja Thanthry Thu, 07/29/2010 - 05:41
User Badges:
  • Cisco Employee,

Hello,


You can use policy-nat.


access-list PNAT1 permit ip host 192.168.12.49 any


access-list PNAT2 permit ip host 192.168.12.49 any


static (inside,outside) xxx.xxx.xxx.xxx access-list PNAT1


static (inside,outside) yyy.yyy.yyy.yyy access-list PNAT2


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml


Hope this helps.


Regards,


NT

Amardeep Kumar Thu, 07/29/2010 - 05:52
User Badges:

HI


Let me try with this configration. I will update it soon.



Thanks

Amardeep Rana

Amardeep Kumar Fri, 07/30/2010 - 07:07
User Badges:

HI


I have a A records on Godaddy for my some of the servers. I have created natting lcoal IP to external IP and I access those servers via Name. What I have made some change on ASA 5505 after that none of the IP was pinging outside. I have to change all of my static routes to different IPs. after they are runnging. Is there any issue second ISP router can create. What is roll of Xlate . Please suggest , I dont have much IP in my Pool. Please help



Thanks

Amardeep K

Nagaraja Thanthry Fri, 07/30/2010 - 07:14
User Badges:
  • Cisco Employee,

Hello,


Can you please post the output of "show run interface", "show run static", and "show run route" here? You can sanitize your IP addresses if you like.


Regards,


NT

Amardeep Kumar Fri, 07/30/2010 - 07:23
User Badges:

HI


Output of these three Commands


ciscoasa(config)# sh run interface

!

interface Vlan1

nameif inside

security-level 100

ip address Local IP 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

ip address Extrenal 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 22

sh run static

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.62 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.59 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.100 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.41 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx exchange01 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.65 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.19 netmask 255.255.255.255 

( I have to recreate all static again , AS I was not able to access them after Daul ISP setup Or after putting this command

static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255.

show run route

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1


Thanks

Amardeep Rana

Nagaraja Thanthry Fri, 07/30/2010 - 07:32
User Badges:
  • Cisco Employee,

Hello,


Did you have another interface (Vlan 22) named ISP2? Did you by any chance

used "backup-interface" configuration on the firewall? Can you please post

the configuration with the second ISP interface here?


Regards,


NT

Amardeep Kumar Fri, 07/30/2010 - 07:44
User Badges:

Hi ,



I have used this config but As I got issue I rebooted my ASA .


ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address Backup Isp 2 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 Primary ISP Exteral IP 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 Backup    (Isp )

Check also

nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1

route backup-isp 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  2

global (backupisp) 1 interface

access-group 10 in interface backupisp

Finally I put this command





static (inside,backup-isp) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255

Thanks

Amardeep K

Nagaraja Thanthry Fri, 07/30/2010 - 09:34
User Badges:
  • Cisco Employee,

Hello,


I see that there are no NAT rules for the primary interface in your

configuration. Let's try the following:


ASA5505(config)# interface ethernet 0/0

ASA5505(config-if)# switchport access vlan 2

ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1

ASA5505(config-if)# switchport access vlan 1

ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2

ASA5505(config-if)# switchport access vlan 3

ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1

ASA5505(config-if)# nameif inside

ASA5505(config-if)# security-level 100

ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2

ASA5505(config-if)# nameif primary-isp

ASA5505(config-if)# security-level 0

ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0

ASA5505(config-if)# no backup interface vlan 3

Amardeep Kumar Fri, 07/30/2010 - 10:03
User Badges:

Hi NJ,


I will try your Configration in off hours. But please explain it. last command. When there is not Vlan 3 in my config.


ASA5505(config)# interface vlan 2

ASA5505(config-if)# nameif primary-isp

ASA5505(config-if)# security-level 0

ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0

ASA5505(config-if)# no backup interface vlan 3



Here I want to know that what will be the reason I had to change all the static routes. and new records are running ,

Suppose I had below static before.


static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.56 netmask 255.255.255.2     ( This was running before , I setup for Daul ISP)
static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.77 netmask 255.255.255.2     (( This was running before , I setup for Daul ISP)


But I did not saving anthing on ASA and reboot it. After reboot both of uper static did not run. I tried xlate. But.....


Then I have to create new static and then I was able to access with new IP.


static (inside,outside) yyy.yyy.yyy.yyy 192.168.12.56 netmask 255.255.255.2 
static (inside,outside) yyy.yyy.yyy.yyy 192.168.12.77 netmask 255.255.255.2


Please help


Thanks

Amardeep Rana

Nagaraja Thanthry Fri, 07/30/2010 - 10:16
User Badges:
  • Cisco Employee,

Hello,


The issue could be that the ISP router had wrong ARP entry for those IP

addresses. You might want to reboot your ISP router (or talk to them and

have them flush their ARP cache).


Hope this helps.


Regards,


NT

Amardeep Kumar Thu, 08/05/2010 - 04:06
User Badges:

HI NT,


I have a Router 1841 that is given by ISP to terminate the link and they handle this router their self. I have rebooted that router. but after that I am again not able to access old IP series. I mean when I create a nat route from local to Live ip. this does not work. Please help ..


Thanks

Amardeep Rana

Actions

This Discussion