I have a bit of a challenge that I would need your input on. First off I was just helping out a friend with this configuration and then he put more that I can chew write in my mouth. So I would need help to see how best i can get this resolved with Cisco ASA.
Attached is a drawing of two different scenarios.
The first scenario works perfectly as I have static nat going for both servers using two different IP address. Both servers on the dmz could be reach over the internet using different external IP address and ports allowed on the servers. Sections are built with twice see below the config.
object network DMZ_MAILEDGE_SERVER1
object network DMZ_MAILEDGE_SERVER2
object network DMZ_EGDE1
object network DMZ_EGDE2
nat (dmz,outside) source static DMZ_MAILEDGE_SERVER1 DMZ_EGDE1 description *** STATIC NAT FOR MAIL SERVER 1 ***
nat (dmz,outside) source static DMZ_MAILEDGE_SERVER2 DMZ_EGDE2 description *** STATIC NAT FOR MAIL SERVER 2 ***
Below is the access-list
access-list outside_access_in line 6 extended permit udp any object DMZ_MAILEDGE_SERVER1 eq domain (hitcnt=0) 0x8537fcbb
access-list outside_access_in line 6 extended permit udp any host 172.16.1.2 eq domain (hitcnt=21) 0x8537fcbb
access-list outside_access_in line 7 extended permit tcp any object DMZ_MAILEDGE_SERVER1 eq smtp (hitcnt=0) 0xef52a116
access-list outside_access_in line 7 extended permit tcp any host 172.16.1.2 eq smtp (hitcnt=6) 0xef52a116
access-list outside_access_in line 8 extended deny ip any object DMZ_MAILEDGE_SERVER1 (hitcnt=0) 0x0032faa5
access-list outside_access_in line 8 extended deny ip any host 172.16.1.2 (hitcnt=1983) 0x0032faa5
access-list outside_access_in line 9 extended permit tcp any object DMZ_MAILEDGE_SERVER2 eq https (hitcnt=0) 0x67a318d7
access-list outside_access_in line 9 extended permit tcp any host 172.16.1.3 eq https (hitcnt=494) 0x67a318d7
access-list outside_access_in line 10 extended deny ip any object DMZ_MAILEDGE_SERVER2 (hitcnt=0) 0x7c202607
access-list outside_access_in line 10 extended deny ip any host 172.16.1.3 (hitcnt=1748) 0x7c202607.
As you can see this works like a champ no issues at all!
But now I am been asked to implement scenario 2 where by the nat would be on one public ip only and ports opened for both inside servers.
Now I am not sure Cisco ASA has such dexterity of allowing me to static nat on a public IP for two servers and opening ports for them. Like I said, I am not sure but willing to get corrected of my thoughts.
I would appreciate any suggestions from anyone that could give me a clue of how to get this resolved.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...