Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
4
Replies

ASA 5520 / NAT Problem

slade
Level 1
Level 1

‎01-15-2006 05:07 AM - edited ‎02-21-2020 12:38 AM

Hello, is it possible to have the ASA 'listen' on two public IP addresses, but connections initiated TO either of those public addresses are directed to a SINGLE host behind the firewall?

Also, the connections would all be going to a single service (telnet), not multiple services.

Thanks much.

0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎01-15-2006 04:08 PM

it's not feasible.

e.g.

static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 23 192.168.1.1 23 netmask 255.255.255.255

imagine a telnet session is initiated from the outside. asa receives the packet destined for 1.1.1.1 with tcp port 23. asa then looks up the static and forwords the packet to 192.168.1.1. now, the return traffic from 192.168.1.1 received by asa. asa will be confused because asa is not able to determine which static should be used.

further, you may configure the telnet server to listen on multiple port. by default, telnet server listen to tcp port 23. providing the telnet server listen to both tcp port 23 and tcp port 10000, then the issue should be resolved.

e.g. static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 10000 192.168.1.1 10000 netmask 255.255.255.255

then the user from outside would need to do "telnet 1.1.1.2 10000" instead of "telnet 1.1.1.2".

0 Helpful

slade
Level 1
Level 1
In response to jackko

‎01-16-2006 07:13 AM

Then this is a NAT limitation with Cisco. Checkpoint does not have this limitation.

0 Helpful

jackko
Level 7
Level 7
In response to slade

‎01-16-2006 06:45 PM

i believe it's feasible if the ip of the other end is known, then you can configure policy nat.

otherwise i'm not too sure how the firewall can make a decision on which ip should be used for nat.

for more detail in configuring policy nat:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008052564b.html#wp1042553

0 Helpful

slade
Level 1
Level 1
In response to jackko

‎01-17-2006 07:32 PM

Yep, it is possible through policy NAT. However, you can't combine one static and then add a policy NAT. There will still be the 'overlapping' address problem. The solution is to create two policy nats.

My original post was regarding unknown (any) source hosts coming inbound to a host behind the ASA.

Today we were hit with another similar problem only this time we knew all the host addresses (sources inbound from the public side). Policy NAT did work in this case.

We are going to test using 'any' as the source inbound to see if we can resolve the other issue. I think as long as there is not an existing static NAT that would conflict, it is possible.

Thanks much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card