01-15-2006 05:07 AM - edited 02-21-2020 12:38 AM
Hello, is it possible to have the ASA 'listen' on two public IP addresses, but connections initiated TO either of those public addresses are directed to a SINGLE host behind the firewall?
Also, the connections would all be going to a single service (telnet), not multiple services.
Thanks much.
01-15-2006 04:08 PM
it's not feasible.
e.g.
static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 23 192.168.1.1 23 netmask 255.255.255.255
imagine a telnet session is initiated from the outside. asa receives the packet destined for 1.1.1.1 with tcp port 23. asa then looks up the static and forwords the packet to 192.168.1.1. now, the return traffic from 192.168.1.1 received by asa. asa will be confused because asa is not able to determine which static should be used.
further, you may configure the telnet server to listen on multiple port. by default, telnet server listen to tcp port 23. providing the telnet server listen to both tcp port 23 and tcp port 10000, then the issue should be resolved.
e.g. static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 10000 192.168.1.1 10000 netmask 255.255.255.255
then the user from outside would need to do "telnet 1.1.1.2 10000" instead of "telnet 1.1.1.2".
01-16-2006 07:13 AM
Then this is a NAT limitation with Cisco. Checkpoint does not have this limitation.
01-16-2006 06:45 PM
i believe it's feasible if the ip of the other end is known, then you can configure policy nat.
otherwise i'm not too sure how the firewall can make a decision on which ip should be used for nat.
for more detail in configuring policy nat:
01-17-2006 07:32 PM
Yep, it is possible through policy NAT. However, you can't combine one static and then add a policy NAT. There will still be the 'overlapping' address problem. The solution is to create two policy nats.
My original post was regarding unknown (any) source hosts coming inbound to a host behind the ASA.
Today we were hit with another similar problem only this time we knew all the host addresses (sources inbound from the public side). Policy NAT did work in this case.
We are going to test using 'any' as the source inbound to see if we can resolve the other issue. I think as long as there is not an existing static NAT that would conflict, it is possible.
Thanks much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide