Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
4
Replies

URGENT - static NAT using multiple external address

rubens.palhoni
Level 1
Level 1

‎11-10-2009 11:46 AM - edited ‎03-11-2019 09:38 AM

Hello,

I have a question about Static NAT.

My client use a Linux Firewall for Connection partners using L2L (about 70). He bought two 5520 to replace the current Linux Firewall. I conducted a survey of access rules for migration of the firewall and I have problems with some rules for nat statico. Today many clients connect to an external address static nat configured in Firewall for port redirection, but this by using multiple outside addresses to the same address inside. As we know there is a limitation to this configuration when using NAT on the ASA / PIX. Next example below:

static (inside,outside) tcp 200.200.200.10 80 10.10.10.10 netmask 255.255.255.255 80

static (inside,outside) tcp 200.200.200.20 80 10.10.10.10 netmask 255.255.255.255 80

Have any tips on how I can treat this type of NAT?

The client is even thinking about rolling back the purchase of Cisco ASA due to this limitation.

Can you help?

Thank you very much !!

Att:

Rubens

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-10-2009 12:04 PM

Rubens,

That cannot be implemented on an ASA. With statics, or even policy statics it won't work. The ASA will complain about mapped address conflicts.

The question would be why do you want to do that?

PK

0 Helpful

rubens.palhoni
Level 1
Level 1
In response to Panos Kampanakis

‎11-10-2009 12:18 PM

Hi PK,

Exactly right. I know that conflicts, but the client is very moroless because it uses a Linux configuration that accomplishe this without major problems. Posted this case here, to verify together if

can find a solution rsrsrsr ...

0 Helpful

vikram_anumukonda
Level 3
Level 3
In response to rubens.palhoni

‎11-10-2009 06:04 PM

you might want to check this

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

and restrict the access to port 80 with a access-list on the outside interface. Not sure if this would work with ports in either access-list or static.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vikram_anumukonda

‎11-11-2009 08:41 AM

vikram's solution will still not work. The ASA will give an error.

It cannot be done.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card