Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

server ip translation with asa

One of the server host uses the same internet ip to get on to internet and also receive the request from internet to itself. this was done for address space restraint. But a recent security audit has forced to seperate the communication for this server using a single internet registered ip both ways.

i.e server host 10.19.2.2 will use internet IP X.X.X.X for internet bound data from itself & the same X.X.X.X internet IP will be used to reach this host when any other host on internet needs to start a new connection to 10.19.2.2.

Insights into how best,this can be achieved, will be helpful.

TIA.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: server ip translation with asa

In that case you can modify the configuration to this:

static (in,out) 2.2.2.2 1.1.1.1

The above command will always translate 1.1.1.1 to 2.2.2.2 for inbound or outbound trafffic.

Federico.

7 REPLIES

Re: server ip translation with asa

Hi,

If you want to do this on ASA you can do the following:

static (in,out) tcp 2.2.2.2 80 1.1.1.1 80

nat (inside) 1 1.1.1.1 255.255.255.255

global (outside) 1 2.2.2.3

The above example assumes the following:

Inbound connections to the server (1.1.1.1) will use the NAT IP (2.2.2.2) when the requests comes on port 80.

Outbound traffic from the server will use (2.2.2.3) to get to the Internet.

Hope it helps.

Federico.

New Member

Re: server ip translation with asa

Thanks. Apologize if my question was not clear.

Taking the eg. that you have stated, our policy needs me to use the same public IP for this server host 1.1.1.1 when going out to internet & use the same public IP  for inbound connections to this server initiated by any source from the internet.

TIA.

Re: server ip translation with asa

In that case you can modify the configuration to this:

static (in,out) 2.2.2.2 1.1.1.1

The above command will always translate 1.1.1.1 to 2.2.2.2 for inbound or outbound trafffic.

Federico.

New Member

Re: server ip translation with asa

so the static line will accomplish the task for both inbound & outbound using same ip.

and i would say there needs to be an acl on the outside interface for the incoming new request. would this static and rule hold true for both tcp & udp connections.

Appreciate your help. Thanks.

Re: server ip translation with asa

Correct.

The static will hold true for TCP and UDP connections.

Also, to allow incoming traffic you require the ACL as you mentioned.

Federico.

New Member

Re: server ip translation with asa

Thanks, last query , to check these connections when in use , would sh conn and sh xlate be appropriate commands . Or any other command for this.

Re: server ip translation with asa

Correct.

To check the translations (layer 3) you use sh xlate

To check the connections (layer 4) you use sh conn (sh conn state/sh conn det)

Since you have a static one-to-one NAT, there's going to be a single XLATE with multiple connections for that particular host.

Federico.

291
Views
10
Helpful
7
Replies