10-09-2014 07:52 PM - edited 03-11-2019 09:54 PM
We currently have three batch servers that send batch files out to customers, we don't accept connections inbound (no connections initiated from the customer to us). Currently those batch servers pass through an old Cisco CSS (content services switch) and when it does it basically NATs those three source IPs into a single IP (172.31.2.4). On the ASA there's a static NAT that NATs that single IP to a public IP, no big deal so far and this all works for active and passive FTP connections.
Now we want to remove those old CSSs so the batch servers would pass through the network to the external firewalls without being NATTED (unlike what is happening today when they are NATTED to 172.31.2.4). I want to know if I create a dynamic (PAT) nat on the ASA to take those three batch server IP addresses and NAT them to a single IP, does anything see a problem with that? Will Active and Passive FTP continue to work? I assume it will. I believe a static NAT would not work in this scenario and that I would need to use dynamic (PAT). Thoughts?
10-09-2014 08:24 PM
Hi,
So , If i understand it correctly , this was the setup with CSS in place:-
Three IP >> CSS >> 1 IP >>>ASA >> Public IP
Now ,
Three IP >> ASA >> Public IP
Now , as the Server is behind the ASA device you would need a separate Static PAT/Static NAT for each IP for the servers to get it to work.
Please let me know if you have any queries.
Thanks and Regards,
Vibhor Amrodia
10-09-2014 10:12 PM
Does that mean I also need a separate public ip for each now also? Or simply just a separate static nat for each source IP to the same public IP?
Example:
Nat (inside,outside) 1 source static object-172.16.1.1 public-ip01
Nat (inside,outside) 2 source static object-172.16.1.2 public-ip01
Nat (inside,outside) 3 source static object-172.16.1.3 public-ip01
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: