Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Conditional Nat on an ASA

A practical dillemma led me here:

A customer has several remote sites wich each have a pc that connects to a virtual IP in the HQ lan, which in term is natted to a real HQ server IP on the asa. Now the need has risen to nat a specific group of remote sites to a diferent real HQ server IP...

My current work-arround is a hardware loadbalancer, but imho there should be a nice/clean cisco (nat) alternative...no?

For a viasual clarification, please see my attached visio.

Many thanks for any hints or suggestions you might have,

Bart

8 REPLIES

Re: Conditional Nat on an ASA

Bart-

Can the remote offices that need to point to the new server, point to a new NAT address or do they have to point to 4.4.4.3?

New Member

Re: Conditional Nat on an ASA

This was my first question too, but the devices at the remote sites are in fact a type of apliances that require (costly) 3rd party intervention if we need to change a system setting plus there are over 600 remote sites... so no ...

Gold

Re: Conditional Nat on an ASA

create object groups to more easily manage which remote sites need the server nat'ed to which IP - then you can use the same object groups to configure your standard interface acl's.

In this example, 192.168.1.1 is the internal IP of the server. the 31.x.x.x addresses are the nat'ed IP's.

access-list nat1_acl permit ip host 192.168.1.1 object-group remote_sites_A

access-list nat2_acl permit ip host 192.168.1.1 object-group remote_sites_B

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.2 access-list nat2_acl

New Member

Re: Conditional Nat on an ASA

Thanx for the reply but this does not tackle the issue at hand.

I have 2 internal servers (a,b) who need to be reached on a virtual ip c.

If Ip address group X connecting to address c, the natting should lead them to internal server a. Addtionally when addres group y connects to address c the asa natting should lead them to internal server b...

Gold

Re: Conditional Nat on an ASA

my bad.

how about:

access-list nat1_acl permit ip host 192.168.1.a object-group X

access-list nat2_acl permit ip host 192.168.1.b object-group Y

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.1 access-list nat2_acl

New Member

Re: Conditional Nat on an ASA

perhaps idd... I was just staring myself blind at the asdm gui. In commandline this makes perfect sense. So in effect we have 2 static policy Nat's with for the Original source 192.168.1.a(192.168.1.b for 2nd packet), original destination object group siteA(siteB for 2nd packet). And on the outside interface a translated address of 31.1.1.1. thx I'll try and let you know Srue.

Re: Conditional Nat on an ASA

Is there a gateway device at each remote office that could NAT?

New Member

Re: Conditional Nat on an ASA

Sir,

Indeed, that was my 3rd prefered solution.

My seccond prefered is the one I have setup now; I had a spare F5 LB lying around and put it to use :)

The most prefered one is of course to have it all cleanly configured in one device; The asa. Cisco has got to have a way to do this...

Checkpoint an juniper all can do this type of packet-crafting, perhaps I'm just overlooking something obvious.

326
Views
8
Helpful
8
Replies
CreatePlease to create content