I have a public IP and port (188.8.131.52:80) that is translated to a private IP:
static (inside,outside) 184.108.40.206 192.168.1.1 netmask 255.255.255.255
The ACL applied inbound on the outside interface permits any hosts to 220.127.116.11:80.
My question is can I policy translate the destination IP:port from outside clients that match specified subnets? (ie: hosts coming from 18.104.22.168/8 to 22.214.171.124:80 are translated to 126.96.36.199:81) ?
(and any necessary static and ACL additions would be performed).
Solved! Go to Solution.
I dont understand why you would want to do this if both public IPs are in the same range?
if they are then just have a static nat to 188.8.131.52:81 and limit access to it with an acl?
Basically, the public IP is advertised in DNS, and could be hard-coded in an application. However, depending on the client source IP, they may need to be serviced by a different backend server.
I don't understand.
Do you need that clients from 184.108.40.206 be mapped to 192.168.1.1 and clients from 220.127.116.11 mapped to 192.168.1.22 for example?
Yes, that's basically it. Both sets of clients would attempt to connect to 18.104.22.168:80 (for example), but their true destination IP:port would be decided based on their source IP. Does that help clarify?
This kind of policy nat and balanced internet connection are two of the most important ASA missing features.
Thanks 4 rating
Oh OK :)
We could perform this stuff post-ASA (ie: on an F5 BIG-IP), but that equipment isn't in place at the moment. I was hoping that the ASA a couple more features than the thousands it already possessed!