Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Many to One/Many "PAT" Translation with ASA and Load Balancer?

I am not sure if I am using the right terminology to describe this, but here is what I am trying to do. I have a single load balancer and I would like to be able to redirect traffic to 3 separate silos of Terminal Servers (Silo A, Silo B and Silo C), based on the public IP that an external user specifies in their TS Client.

For example:

I have 3 public IPs (69.xxx.xxx.001, 69.xxx.xxx.002 and 69.xxx.xxx.003) which users can enter into a TS Client. Traffic from the TS Clients will arrive at my ASA destined for TCP Port 3389 in all 3 cases.

I have a Load Balancer which has a single Private IP Address (10.1.1.207). I have the Load Balancer configured to send traffic which is destined for 69.xxx.xxx.001 for TCP Port 3389 needs to go to “Silo A”. Traffic which is destined for 69.xxx.xxx.002 TCP Port 3390 needs to go to “Silo B” and traffic which arrives for 69.xxx.xxx.003 TCP Port 3391 needs to go to “Silo C”.

So what I would like to configure the ASA to do is to “Translate” traffic from the Public side of my ASA as follows:

69.xxx.xxx.001 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3389 (Silo A)
69.xxx.xxx.002 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3390 (Silo B)
69.xxx.xxx.003 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3391 (Silo C)

My typical “One to One” NAT looks something like this:

static (inside,outside) 69.xxx.xxx.xxx 10.1.1.xxx netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 69.xxx.xxx.xxx eq 3389

I cannot seem to find a way to include Port Translation in the “static” command and I obviously cannot simply point 3 different Public IPs at a single Private IP and then do the “translation” within the access-list.

Any assistance is appreciated!

Brian

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Hello,

The port-forwarding got to be like this:

static (inside,outside) tcp 69.xxx.xxx.xxx 3389 10.1.1.xxx 3389

static (inside,outside) 69.xxx.xxx.xxx 3389 10.1.1.xxx  3390

static (inside,outside) 69.xxx.xxx.xxx 338910.1.1.xxx 3391

That is all you need, by the way you are using 3 different publics rigth??

Please rate helpful post.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Hello,

Yes, that is all you need point the access-list to the 3 different public IP address on their respective port.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Hello,

The port-forwarding got to be like this:

static (inside,outside) tcp 69.xxx.xxx.xxx 3389 10.1.1.xxx 3389

static (inside,outside) 69.xxx.xxx.xxx 3389 10.1.1.xxx  3390

static (inside,outside) 69.xxx.xxx.xxx 338910.1.1.xxx 3391

That is all you need, by the way you are using 3 different publics rigth??

Please rate helpful post.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Thanks for the reply Julio, that part seems to be acceptable to the ASA (no errors!).

Will I have to do something special with the access list based on the translation?  Will this work, or will I need to somehow reference the 3 different TCP Ports in the 3 access lists?:

access-list outside_access_in extended permit tcp any host 69.xxx.xxx.xxx eq 3389

I would have the above access list for each of the "public IPs".

Brian

New Member

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Sorry, I missed your question, but yes, I have 3 different Public IPs.

Brian

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Hello,

Yes, that is all you need point the access-list to the 3 different public IP address on their respective port.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1486
Views
0
Helpful
4
Replies
CreatePlease to create content