How do I go about accomplishing this?

david.tran · ‎06-10-2013

don't have an ASA to test this at the moment so I have to ask.

I have a checkpoint firewall with only two interfaces, internal and external. Internal interface has an ip address of 192.168.1.254/24. External interface has an IP address of 1.1.1.254/24. On the internal facing side, I have two linux hosts linux1 (192.168.1.1/24) and linux2 (192.168.1.2). Both of the linux hosts have static NAT to public ip address as follows:

linux1 192.168.1.1 static NAT to 1.1.1.1

linux2 192.168.1.2 static NAT to 1.1.1.2

Now here is my issue:

host linux1 must be able to communicate with host linux2 using public IP address. In other host linux1 must be able to telnet to host linux2 public IP address of 1.1.1.2. In other words, from host linux1, I must be able to "telnet 1.1.1.2" and see a login prompt.

On the Checkpoint firewall, I can easily accomplish this by using hiding the source IP address of 192.168.1.1/24 to the firewall Interface of 1.1.1.254 and then translate the destination of 1.1.1.2 to 192.168.1.2. Very easy and it works.

How do I go about doing this with the ASA WITHOUT using DNS server (i.e. implementing alias)?

Thanks in advance

Julio Carvajal · ‎06-10-2013

You are looking for the U-turning configuration setup ,

If DNS doctoring is out of the picture that's ur only option,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Eddy Duran · ‎06-10-2013

David,

If you need to access the servers by using their Public IP, you can apply the following NAT:

-8.2

static (inside,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside,inside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255

same security traffic permit intra-interface

+8.3

object network obj-1.1.1.1

host 1.1.1.1

object network obj-192.168.1.1

host 192.168.1.1

object network obj-1.1.1.2

host 1.1.1.1

object network obj-192.168.1.2

host 192.168.1.1

nat (inside,inside) source static any any destination obj-1.1.1.2 obj-192.168.1.2 no-proxy-arp

nat (inside,inside) source static any any destination obj-1.1.1.1 obj-192.168.1.1 no-proxy-arp

same security traffic permit intra-interface

This will tell the ASA to translate the packets with a destination of 1.1.1.x to 192.168.1.x.

Hope this helps.

Please rate if you find it useful.

-Eddy Duran

Julio Carvajal · ‎06-11-2013

Hello David,

I just created this document:

https://supportforums.cisco.com/docs/DOC-34107

I think this might help U and the rest of the community ,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎06-12-2013

your document and setup requires DNS server. What happened when DNS server is not available?

Julio Carvajal · ‎06-12-2013

Then U use the second option,

The U-turning one (of course youre aplication should be already aware that in order to connect to the other box it will need to use the Public IP address) which I think it's already like that.

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎06-14-2013

Hello David,

Do u have any other question?

Otherwise u can mark the question as answered

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC