Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
5
Helpful
4
Replies

ASA source ip configuration for servers

Go to solution
suthomas1
Level 6
Level 6

‎09-06-2012 10:43 PM - edited ‎03-11-2019 04:51 PM

Hi,

We have the following flow:

LAN Server ( 192.168.100.5 & 100.11 ) -----> Switch -------> ASA ---------> Internet ------------> Destination Host

The ASA's outside interface has Internet IP 202.87.65.22

When both Lan servers initiate a connection to the remote destination host, they are only recognised at the destination with individual Internet IP's as given.

i.e, 192.168.100.5 is only recognised as 202.87.65.35  &

      192.168.100.11 is only recognised as 202.87.65.36

The destination doesn't recognise the request if the source is not from above Internet IP's.

How do i ensure and configure the ASA such that; traffic from both these lan servers go out with their Internet IP's only, rather than taking the ASA's

outside interface IP.

Please help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to suthomas1

‎09-06-2012 11:27 PM

Hello,

So lets go with the Policy nat as per your request is based on destination

access-list test permit ip host 192.168.100.5 host destination_host_ip

nat (inside) 10 access-list test

global (outside) 10  202.87.65.35

access-list test2 permit ip host  192.168.100.11  host destination_host_ip

nat (inside) 11 access-list  test2

global (outside) 11 202.87.65.36

Remember to rate all the answers,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-06-2012 10:53 PM

Hello,

With Policy nat (8.2) or Twice Nat with destination on (8.3 or higher)

What version are you running?

Rate all the answers, that is more important for us than a thanks?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Julio Carvajal

‎09-06-2012 10:59 PM

It is running 8.2(2) .

Appreciate if i can get the steps to achieve it. thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to suthomas1

‎09-06-2012 11:27 PM

Hello,

So lets go with the Policy nat as per your request is based on destination

access-list test permit ip host 192.168.100.5 host destination_host_ip

nat (inside) 10 access-list test

global (outside) 10  202.87.65.35

access-list test2 permit ip host  192.168.100.11  host destination_host_ip

nat (inside) 11 access-list  test2

global (outside) 11 202.87.65.36

Remember to rate all the answers,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Julio Carvajal

‎09-06-2012 11:02 PM

Hi,

If you are using pre 8.3 code, then you would need the following configuration:

static (inside,outside) 202.87.65.35 192.168.100.5

static (inside,outside) 202.87.65.36 192.168.100.11

access-list outside_access_in permit ip any host 202.87.65.35

access-list outside_access_in permit ip any host 202.87.65.36

access-group outside_access_in in interface outside

You would only need the access-list if you also want the outside destination host to access your internal server.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card