Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
5
Helpful
2
Replies

ASA NAT questions

Go to solution
han_valk
Level 1
Level 1

‎11-20-2016 01:00 PM - edited ‎03-12-2019 01:33 AM

Situation:

ASA 5505 gets it's static IP address on the outside interface through DHCP.

ISP routes a /29 to that DHCP assigned address.

Traffic from LAN to internet uses a Dynamic PAT (Hide) rule in section 3. The translated packet's source address is the IP address assigned through DHCP which is fine for clients on the LAN browsing the internet.

What I would like to achieve:

Access from internet to multiple servers on LAN while preserving as much of the /29 block as possible.

The public IP address that is used to access the server on the LAN must also be the IP address that is used as the source address for any traffic originating from that server and destined to the internet. It must not be the DHCP assigned address that is used by other hosts on the LAN using the Dynamic PAT (Hide) rule.

What I have tried:

Network Object NAT achieves that two-way relationship where the public IP address for that particular server is the same in both directions, but at the cost of a public IP address for every server, see http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_objects.html#wp1119793.

Network Object PAT gives the possibility to publish multiple hosts with different services/ports using one public IP address, see http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_objects.html#wp1140516. But in that case the outgoing public IP address is the DHCP assigned one and that is not what I want.

Why do I want this:

I want the incoming and outgoing public IP address of my mail server to be the same and yet be able to use that same public IP address for a webserver that is running on another host.

Is this possible with an ASA?

Maybe it's my way of thinking but I think it is odd when traffic from the internet to a server on the LAN uses one public IP address and traffic from that server to the internet uses another.

Thanks in advance,

Han.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2016 01:37 PM

You can combine these different methods and configure different NAT-rules for incoming and outgoing traffic. For Incoming Traffic it could look like the following:

object network PUBLIC-IP1
 host 192.0.2.10

object network Webserver-HTTP
 host 10.10.10.80
 nat (inside,outside) static PUBLIC-IP1 service tcp 80 80

This will not match on outgoing traffic, so you need another rule:

object network WEBSERVER
 host 10.10.10.80
nat (inside,outside) after-auto source dynamic WEBSERVER PUBLIC-IP1

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2016 01:37 PM

You can combine these different methods and configure different NAT-rules for incoming and outgoing traffic. For Incoming Traffic it could look like the following:

object network PUBLIC-IP1
 host 192.0.2.10

object network Webserver-HTTP
 host 10.10.10.80
 nat (inside,outside) static PUBLIC-IP1 service tcp 80 80

This will not match on outgoing traffic, so you need another rule:

object network WEBSERVER
 host 10.10.10.80
nat (inside,outside) after-auto source dynamic WEBSERVER PUBLIC-IP1

Go to solution
han_valk
Level 1
Level 1
In response to Karsten Iwen

‎11-30-2016 11:29 PM

Tnx! That did the job.

Regards,

Han.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card