Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
4
Replies

[ASA] Port redirect from multiple public IP to single inside IP

Go to solution
robertson.dias
Level 1
Level 1

‎10-06-2010 06:23 PM - edited ‎03-11-2019 11:51 AM

Hi People,

I have a trouble with static nat statements in ASA 5510. Follow the cenario:

Public IP 1 => 1.1.1.1

Public IP 2 => 1.1.1.2

Internal cluster IP => 2.2.2.2

I have to do that when the public connections arrive to outside interface, ASA use static NAT to redirect to inside cluster host, which redistribute to servers pool correctly,according:

- connections to 1.1.1.1 tcp port 80, static nat redirect to 2.2.2.2 port 80

- connections to 1.1.1.2 tcp port 80, static nat redirect to 2.2.2.2 port 80

Actually i use proxy arp on outside interface to notify public IP 1 and 2.

The trouble is when i configure the second nat statements, the ASA doesn't allow, because duplicate match ip address/port.

My question, is possible create this cenario ?

Thanks

Robertson

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎10-06-2010 08:04 PM

Hello,

Please try the following:

access-list pnat1 permit tcp host 2.2.2.2 eq 80 any

static (inside,outside) tcp 1.1.1.1 80 access-list pnat1

access-list pnat2 permit tcp host 2.2.2.2 eq 80 any

static (inside,outside) tcp 1.1.1.2 80 access-list pnat2

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎10-06-2010 08:04 PM

Hello,

Please try the following:

access-list pnat1 permit tcp host 2.2.2.2 eq 80 any

static (inside,outside) tcp 1.1.1.1 80 access-list pnat1

access-list pnat2 permit tcp host 2.2.2.2 eq 80 any

static (inside,outside) tcp 1.1.1.2 80 access-list pnat2

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
robertson.dias
Level 1
Level 1
In response to Nagaraja Thanthry

‎10-07-2010 04:31 AM

Ok, the firewall accepted commands, but i believe that acl order is reverse.

1)

access-list pnat1 extended permit tcp host 2.2.2.2 eq www any

This, the connection from 2.2.2.2 tcp port 80 is allowed to any.

2)

access-list pnat1 extended permit tcp any host 2.2.2.2 eq 80

This, the connection nated from internet, is allowed to 2.2.2.2 port 80.

What´s correct to create nat ?. 1 or 2 ?

Thanks again.

Robertson

** I don´t make any real test yet, only configuration.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-07-2010 01:07 PM

You can't do what you are trying to achieve.

2 source ip addresses cannot be translated to one ip/port (2.2.2.2/80)..The firewwall would not be able to know where to send a packet that is destined to 2.2.2.2/80.

I hope it makes sense.

PK

0 Helpful

Go to solution
robertson.dias
Level 1
Level 1
In response to Panos Kampanakis

‎10-07-2010 06:00 PM

Thanks PK, i'll try first option. I believe that it will work. Any notice i post here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card