While maintaining the above translation we have been ask by the developers to allow direct access to 192.168.100.20 for a secure socket connection on port 443. I did a similar thing during a data center migration by doing this.
The configurations no longer exist but I can recreate them in the lab for you.
Trying to find a better way to explain.
Customer on outside interface needs to get to 192.168.100.20 and has been doing so for years. They use the static translation 188.8.131.52 to connect to 192.168.100.20.
It has become necessary to grant the customer on the outside interface direct access to 192.168.100.20 without translation while still allowing them access through the original static translation.
So the customer on the outside interface will be accessing both the new 192.168.100.20 and the old 184.108.40.206 but connecting to the same internal server 192.168.100.20. It works, I have done it but is there a better way?
access-list outside line 1 extended permit icmp any host 220.127.116.11 (hitcnt=0) 0xf4592732
access-list outside line 2 extended permit tcp any host 18.104.22.168 eq www (hitcnt=3) 0xe2670b47
access-list outside line 3 extended permit tcp any host 22.214.171.124 eq https (hitcnt=1) 0x6b2d9f98
access-list outside line 4 extended permit icmp any host 192.168.100.20 (hitcnt=0) 0x8ab9d8f4
access-list outside line 5 extended permit tcp any host 192.168.100.20 eq www (hitcnt=1) 0xc67c07f6
access-list outside line 6 extended permit tcp any host 192.168.100.20 eq https (hitcnt=1) 0x7675a5b1
This passes the packet-tracer
Thanks for your response. Lab configuration attached.
This is a privet circuit in the lab environment, would it be helpful if I gave you the real addresses? Or can you pretend the Customer network is trusted and routed to the gateway firewall where this configuration exists? No Internet, just customer to customer, like through a VPN tunnel?
If I am not making this clear please let me know and I will try again. I really need to solve this problem without using another firewall.
What Ajay has mentioned is correct, now as you said on the last note :
No Internet, just customer to customer, like through a VPN tunnel
If you only need connectivity between both sides without internet you do not need a routable public ip address, now you are going to use Identity nat and also a static one to one, both are going to work.
The ASA wil be able to send the packets that are getting to 126.96.36.199 to the inside host, and also with proxy arp the identity nat statement (192.168.100.20).
You already have the ACLs in place, that is all you need as long as Ajay said they do not need to access 192.168.100.20 by the real IP address over the internet (unless you have a VPN established)
Looking for some Networking Assistance?
Contact me directly at firstname.lastname@example.org
I will fix your problem ASAP.
Julio Carvajal Segura
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...