Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

is this possible with NAT on ASAs?

Is it possible to set up NAT translations to do the following on our
ASAs?

1) Have an external address (5.1.1.1) associated with an internal address (192.168.1.10)
so that any externally initiated internet traffic directed to 5.1.1.1 gets redirected
internally by the ASA to 192.168.1.10, and...

2) At the same time, associate the same external address (5.1.1.1) with a different
internal address (192.168.1.100) so that any traffic initiated internally from
192.168.1.100 outbound to the internet gets NATTed with source address 5.1.1.1 by the ASA.

Basically we want the two to coexist, so that outside users initiating traffic to 5.1.1.1
always get directed to 192.168.1.10, while at the same time having any outbound traffic to
the outside world initiated from server 192.168.1.100 to get NATted to the same outside
address 5.1.1.1.

I am wondering if using policy NAT would allow the two to coexist but cannot find any
examples showing this....

3 REPLIES

is this possible with NAT on ASAs?

Hello Jshapura,

No, you cannot mapped 1 public ip address to 2 different host.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

is this possible with NAT on ASAs?

Hi,

With policy NAT, I guess you can PAT 5.1.1.1 to 2 internal IPs while allowing outside users to allow hitting one of the server. Try the below...

access-list test extended permit ip host 192.168.1.10 any

access-list test extended permit ip host 192.168.1.100 any

nat (inside) 1 access-list test

global (outside) 1 5.1.1.1

nat (inside) 2 0 0  

global (outside) 2 interface

Nat 2 is for rest of your internal hosts. If you already have Nat id 1 with internal hosts, add this as Nat 2 and it should work.

Your access list from outside to inside stays the same.

You may need to remove existing static (inside,outside) for 192.168.1.10 and clear the existing xlate.

Hope I understood your requirement correct.

Thx

MS

New Member

Re: is this possible with NAT on ASAs?

Interesting question but a number of suggestions for you.

Read ant dns doctoring

Do NLB internally for the two machines , possible thru Cisco ace or ollder Cisco CSS box!

And always remember when a user have session using link A to machine A it must get back to the originator using same link and cannot use link B or machine b to send request backward !,,,

Kamran

Sent from Cisco Technical Support iPad App

232
Views
0
Helpful
3
Replies
CreatePlease login to create content