We have a new time clock service and have a few users that need to be able to remotely clock in to this service, the site's security system need to be able to see a publicly accessible ip, but I have limited public ip's left and I won't be able to nat them all 1 to 1, so is there a way to make this happen on the ASA, have multiple internal hosts nat'd or mapped to a single external ip. Any ideas or pointers would be great.
This sounds like you need a port forwarding. If your clock works with port 123/UDP you can create a NAT rule to NAT that port to a Public IP even if the IP has been used on another static translation (This applies to 1 to 1 translations).
As you know this is going to overlap however its possible and the firewall can map that single PORT from the public IP to the private IP of the server.
This file has examples of NAT on code pre 8.3 and post:
Hi Jose, do you have any sample code or docs for v9.1, looks like the site is port 80 but then it goes to https for the login to the time clock system. I need to get a few clients to be able to nat to a single ip externally so they can clock in to this site. Any pointers would be great
Yes, you can NAT all of the users behind a single IP or even use the interface IP of the egress interface. What version of code are you running on your ASA? The newer versions of code allows you to use a pool which doesn't require each host to have a unique external IP.
Thanks for the reply Marius, somehow I think the time clock site's admins may have done something cause it works now for anyone inside our network without me doing anything on the ASA, I'll keep the code handy for future needs, thanks again.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :