Bala,

I see that 10.4.0.129 is the outside interface IP address.

In which case you can do the following static PAT. These statics should have nothing to do with the inside interace.  Previous posting accidentally specifies inside interface.

The interfaces involved are dmz and outside.  I am assuming these two are two hosts in the dmz segment and not two different dmz interfaces. Your diagram says these are two diff. interfaces but the IP addresses are right next to each other so, I am assuming just one DMZ interface.

static (dmz,outside) tcp interface 8080 10.3.0.130 80 net 255.255.255.255

This above static will grab requests from the outside http://10.4.0.129:8080 and send it to 10.3.0.130 - port 80 to the dmz.

static (dmz,outside) tcp interface 8000 10.3.0.131 80 net 255.255.255.255

This above static will grab requests arriving to  http://10.4.0.129:8000 and send it to 10.3.0.131 - port 80 again to the dmz.

Now, in the acl that you have applied on the outside restric that the

host 10.4.0.128 can only talk to 10.4.0.129 on port 8080

and host 10.4.0.130 can only talk to 10.4.0.129 on port 8000.

You should be all set.

-KS

Thanks-a-lot for responding to my question ,  I have just one DMZ interface at 10.3.0.129.

I started searching for this question because I heard from someone that it is possible to redirect http two partners with different IP out at the internet trying to hit the same ASA outside interface of 10.4.0.129 to two different internal servers based on their Source IP's.

I have previously done accessing two different webserver by hitting http://10.4.0.129:8080  ----> DMZ0   and http://10.4.0.129:8081 ----> DMZ1 which is just port redirection.  However I wanted to know if this is possible even if the port was constant and still be able to differentiate between the two traffic leading them to different webservers.

Technically speaking I thought it was not possible to redirect http request to two different DMZ's by hitting the same outside interface of 10.4.0.129 on port 80, however when we take into account the different source IP's then I believe that it is possible, that is what the STATIC POLICY NAT claims to do. I could be wrong though

After a lot of search I found this article about NAT on CISCO's website.  Which clearly shows that what I wanted could not be achieved.

However I will keep my question as my long term goal to try and see if it is possible.  If someone feels that it is not possible kindly try to explain me as to why that is not possible.

I can't be done because the ASA will give you an error

ERROR: mapped-address conflict with existing static

The only thing that you can do is to PAT different ports based on the traffic (PAT).

PK

Bala,

This is not possible or I would have given you the config lines to accomplish that.

Just because you are doing a policy doesn't mean you can do that.  It is the same rule whether you use policy or just use static pat.

You cannot receive traffic destined to port 80 on the outside interface and send it to different servers on the dmz.

There are other Cisco devices (Content Service Engines) that can do that so, this feature is not there on the ASA.

-KS