Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can ASA do a many-to-one translation?

I have two external public IPs that used to be mapped one-to-one to two internal private IPs. Now, I want to get rid of one of my internal servers but I want to continue to use my two public IPs but both going to the same server.

Can I do something like this:

static (outside,inside) xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (outside,inside) yyy.yyy.yyy.yyy 110 192.168.7.7 110

So incoming SMTP traffic to the "x" public IP goes to the same server as POP3 traffic does when it is sent to the "y" IP.

Also, since the SMTP server is also going to be sending out email, will I need another "static (inside,outside)" translation for outgoing traffic too or will the previous translation do the outgoing traffic also?

for example, do I need a:

static (inside,outside) 192.168.7.7 25 xxx.xxx.xxx.xxx 25

(or have I got my IPs reversed?)

3 REPLIES

Re: Can ASA do a many-to-one translation?

Yes, you can

static (outside,inside) tcp xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (outside,inside) tcp yyy.yyy.yyy.yyy 110 192.168.7.7 110

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043281

Community Member

Re: Can ASA do a many-to-one translation?

So you know if I have to put in a new separate "static (inside,outside)" entry to make sure outgoing email port 25 SMTP traffic appears to come from the "xxx.xxx.xxx.xxx" address or is that taken care of already by the "static (outside,inside)" line?

The outgoing email will be traffic initiated by the server, not part of any existing connection that may be incoming and already in the NAT table.

Re: Can ASA do a many-to-one translation?

oops... sorry

must be

static (inside, outside) tcp xxx.xxx.xxx.xxx 25 192.168.7.7 25

static (inside,outside) tcp yyy.yyy.yyy.yyy 110 192.168.7.7 110

access-list OUTSIDE-IN permit tcp any host yyy.yyy.yyy.yyy eq 110

access-list OUTSIDE-IN permit tcp any host xxx.xxx.xxx.xxx eq 25

access-group OUTSIDE-IN in int outside

238
Views
0
Helpful
3
Replies
CreatePlease to create content