I have a query regarding static policy NAT within the following scenario -
I have the following simulated setup -
3 customers (CUS#1, CUS#2 and CUS#3)
Each customer has a server (CUS1-SRV#1 - 192.168.1.1/24, CUS2-SRV#1 - 192.168.2.1/24 and CUS3-SRV#1 - 192.168.3.1/24)
All servers are located in the same location sat behind 1 Cisco ASA firewall
Each customer server is VLAN'd for segregation (ignore security issues for the moment)
Each server will NAT as the same address (a single public /32)
Each customer has a remote premises with a public IP address space (CUS1-SITE#1 - 220.127.116.11/24, CUS2-SITE#1 - 18.104.22.168/24 and CUS3-SITE#1 - 22.214.171.124/24)
If each server translates from inside the firewall to outside the firewall as the same /32 address (PAT) they will all have internet access as the same public IP address. I then want to publish services from CUS1-SRV#1 to CUS1-SITE#1 and CUS2-SRV#1 to CUS2-SITE#1. So basically, publish each customers server services to their specific remote site.
I am aware that policy NAT exists and I can perform a NAT based on destination but what i would like to be able to do is the perform a sort of reverse remote site source address translation. CUS1-SITE#1 targets the public /32 address of the server and is then translated to the correct server internally for that customer (192.168.1.1). Is this at all possible?
This is something I have to test to able to answer it.
I mean its not a good idea in the first place to start providing services to public network with a single IP address. Would be good to have a small network of public IP addresses from the ISP.
What I am wondering is the fact that if we in this case know the source address of each host connecting to the servers, can we forward the same ports to different hosts since our NAT configuration would still state the different source address for each configuration.
I could probably test this at my own ASA later.
I got to say though that would be best to have a small /29 public network atleast from the ISP so you could dedicate a single public IP for each server. I'd imagine it would make your life easier in the log run.
I will check this thing out later today unless someone else gives an answer
I realise having a /29 range of public addresses would allow me to support further customers by performing one to one static mapping of addresses for each customer server. This was more of a "Can this be done?" question. Luckily, I am not actually in this situation
Might still test this just to see if it is possible. First gut feeling would be that its impossible to forward the same ports to different hosts. Unless you used a different mapped port for each customer. Which would probably cause more problems
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...