cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
851
Views
0
Helpful
8
Replies

Natted and Physical IP access

santoshm_75
Level 1
Level 1

Hi,

I am using ASA 5580 with software Version 8.1(2). Could it be possible to access the NATTED IP address and also the physical IP address at the same time from the host.

8 Replies 8

santoshm_75
Level 1
Level 1

Hi,

My requirement is different then what you have mentioned. In the configuration what you have mentioned if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible?

If possible then send some write up and also any cisco site reference.

Regards,

if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible

Santosh,

Im not quite sure I understand your requirements which it seemed to me from your initial post a hairpining requirement. I would like to know what application prompts you to have this type of settings, perhaps if you could provide in detail what this requiremen entails in terms of TCP/UDP services I could provide better answer.

Regards

Jorge Rodriguez

JORGE RODRIGUEZ
Level 10
Level 10

Sure you can, depending what is your scenarion , but generally you can use same-security-traffic permit intra-interface command in conjuction with specific nat statement , and connect to the NAted address from where you are sourcing the local host . This is also known as hairpining .

Regards

Jorge Rodriguez

Hi,

I have all the intra interfaces with differenet level of secuity, then also can it be possible.

If possible Please let me know some write up or any cisco write up details for reference.

Regards,

Typical scenario

say :

inside host 20.20.20.1/24 - Its public IP 100.100.100.1 for outside

Typically you would have one-to-one NAT

static (inside/outside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255

now you want local hosts in the 20.20.20.0/24 subnet access 100.100.100.1 which is maped to 20.20.20.1

same-security-traffic permit intra-interface

static (inside,inside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255

and allow inbound rules for 100.100.100.1

so inside hosts under 20.20.20.0/24 can access 20.20.20.1 localy as well as 100.100.100.1 from inside interface

Here is some reference on hairpining

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Regards

PLS rate any helpful posts if it helps

Jorge Rodriguez

Jon Marshall
Hall of Fame
Hall of Fame

Santosh

Just to clarify what you are asking.

Server = real IP address = 192.168.5.1

Natted IP address = 172.16.5.1

Are you asking if from a client host you can connect to both 172.16.5.1 and 192.168.5.1 on the same port ?

If so no you can't. It's one or the other.

Jon

Hi,

Find the details of requirement.

Inside IP : 172.16.0.0/24

Host: 172.16.1.10

Nannted IP: 192.168.1.10

Outside IP: 192.168.1.0/24

Host: 192.168.1.20

now my requirement is from host 192.168.1.20 can I access 192.168.1.10 and also 172.16.1.10.

Hi Jon: Its the customers requirement for SAP application and also for your reference this is working in checkpoint now. We are replacing ASA-5580 in the place of checkpoint.

Could it possible?

Regards,

Santosh

If you are trying to access the 172.16.1.10 and 192.168.1.10 from outside using the same application port number you cannot do this on the ASA. I understand you can do this with Checkpoint but NAT functionality differs between firewalls.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: