Hi, we have a Checkpoint Firewall we are migrating to an ASA.
One type of access we have, is for groups of users on the "outside"interface, connecting to Servers on the "Inside" interface.
These Servers' addresses are NATted, in a way that the users will connect to the NAT address and currently the CP FW will NAT those to the real address before sending them off. So far nothing weird...
The problem is that we currently have some users with access to the REAL IP of the servers, not the NATted one, and I can't seem to replicate that in the ASA.
In CP it is very easy, because the Translation rules include all components and are defined in a direction, that is for example:
If the packet comes from "User/IP A", destined for "Server 1's NAT", then keep the source "as is" and NAT the destination to "Server 1's real IP",
When the return traffic comes, I assume it knows through a state table or something (because there is no entry for the other direction) that it did the NAT so it reverses it.
Now when a user connects to the "real IP", no NAT takes place, and the connection works (and I say I think it records this with some type of state table because of the above, where NAT does take place and nothing happens here).
When we try this on the ASA, we would normally try a static NAT like so:
static (outside, inside) real_IP nat_IP
Which would be fine, except that when the users attempt to connect to the "real IP", while of course it won't be NATted, the return traffic DOES get NATted, and the connection breaks...
I've looked at Policy NAT, but it seems to have the same problem, as the same users can connect to either the real or NAT IP, and therefore if they're in the ACL for the Policy NAT, the same problem would occur with the return traffic...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :