Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5484
Views
0
Helpful
8
Replies

NATing two public IPs to one private IP: HOWTO?

edwardwaithaka
Level 1
Level 1

‎08-06-2008 07:16 AM - edited ‎03-11-2019 06:27 AM

Hi,

I have an email server hosting two email domains e.g. @sisco.com and @neatco.com each resolved to two different public IPs (MX records etc)

I have a Cisco 5510 ASA firewall at my perimter and now I have the challenge of mapping the two public IPs to my mail server on the internal side.

How can I over come this without having to give the server two separate private IPs for each email domain???

Thanks.

Edd.

Labels:
0 Helpful
8 Replies 8

andrew.prince
Level 10
Level 10

‎08-06-2008 07:35 AM

Edd,

mmmmmm I'm pretty sure you cannot do this with a static NAT statements, they would overlap.....but you could try using an alias and see if that would work:-

static (inside,outside) w.w.w.w x.x.x.x netmask 255.255.255.255

alias (inside) y.y.y.y z.z.z.z 255.255.255.255

w.w.w.w = 1st external IP address

x.x.x.x = Internal Server IP

y.y.y.y = Internal Server IP

z.z.z.z = 2ns external IP address#

This is a guess - you will have to test, and it may not work.

HTH>

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-06-2008 07:43 AM

lets say ur internal server is in the inside network with ip 192.168.1.1

and u have two public ips

1.1.1.1 and 2.2.2.2

now we gonna map any connection to these ips to that server

static (inside, outisde) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside, outisde) 2.2.2.2 192.168.1.1 netmask 255.255.255.255

if u wanna map only smtp port for example

do:

static (inside, outisde)tcp 1.1.1.1 25 192.168.1.1 25 netmask 255.255.255.255

static (inside, outisde)tcp 25 2.2.2.2 192.168.1.1 25 netmask 255.255.255.255

in this case only connections for tcp 25 will be maped while the first exampel everything will be maped

and if u wanna make for more ports like tcp 25 and other oorts do the same command like for each port

BUT DONT FORGET to make access list that permit traffic coming to ur public ip address and apply it to the outside interface

for the first example here do the forllowing acl

access-list 100 permit ip any host 1.1.1.1

access-list 100 permit ip any host 2.2.2.2

access-group 100 in interface outside

for the second example we gonna allow only spesific port or ports

access-list 100 permit tcp any host 2.2.2.2 eq 25

access-list 100 permit tcp any host 1.1.1.1 eq 25

access-group 100 in interface outside

good luck

please, if helpful Rate

0 Helpful

edwardwaithaka
Level 1
Level 1
In response to Marwan ALshawi

‎08-06-2008 08:03 AM

Hi marwanshawi,

I dont think this can happen. I get the error;

ERROR: duplicate of existing static

We tried policy nat but that also doesnt work.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to edwardwaithaka

‎08-06-2008 08:17 AM

The policy nat is also an alternative, say rdp and http example

Ex.

Public IPs 200.200.200.1

200.200.200.2

Private IP 192.168.1.1

static (inside,outside) 200.200.200.1 access-list policy_nat_http1

static (inside,outside) 200.200.200.2 access-list policy_nat_rdp1

access-list policy_nat_http1 extended permit ip host 192.168.1.1 any

access-list policy_nat_rdp1 extended permit ip host 192.168.1.1 any

access-list outside_access_in extended permit tcp any host 200.200.200.1 eq 80 log

access-list outside_access_in extended permit tcp any host 200.200.200.2 eq 3389 log

access-group outside_access_in in interface outside

[edit]

for your smtp

replace the acl PNAT name as something like:

policy_nat_smtp1, policy_nat_smpt2, and the respective TCP port 25 in the inbound acl, it should work.. make sure the public Ips are not currently being used by any other system otherwise you will get errors.

Jorge Rodriguez
0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to edwardwaithaka

‎08-07-2008 02:35 AM

ok lets do a work around

lets say u ur internal mail server ip address is 192.168.1.1

make static nat for this ip to one of the public IPs

then go to ur server give it a secondary IP lets say 192.168.1.10

and then mak another sattic nat maping the second public ip address to that secondary IP

this case will for sure

good lcuk

and let know

0 Helpful

dwgrow
Level 1
Level 1

‎08-06-2008 09:36 AM

have you tried placing two IPs on the Email servers Ethernet card? NAT one external to each Internal IP

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to dwgrow

‎08-07-2008 07:25 AM

Marwan & Dennis solution is effective as well and probably the easiest way to go around it.

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card