Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Use same PAT pool on different Interfaces

Hi,

I have an ASA 5500 running IOS 7.0. I am using three interfaces INSIDE, OUTSIDE and DMZ. INSIDE users (10.10.10.x) ger PAT'd to 12.12.12.12 address when going from the INSIDE to the OUTSIDE.

Can I use the same address (12.12.12.12) to PAT the INISDE users when going to the DMZ?

Thank you,

Maher

2 REPLIES
Gold

Re: Use same PAT pool on different Interfaces

it's a little bit unusual but i don't see why it wouldn't work.

i said a little bit unusual because the 12.12.12.12 is usually a public ip, however, traffic between inside and dmz is sort of private, thus no public ip is needed.

just wondering what exactly you are trying to achieve here.

New Member

Re: Use same PAT pool on different Interfaces

Thanks for your answer.

Here is the setup:

The INSIDE network uses 10.10.10.x and get PAT’d to a public address when going to the Internet through the OUTSIDE Interface.

The DMZ Network uses another private network 10.10.20.x and get PAT’d to the same public IP address when accessing the Internet through the OUTSIDE Interface (the 12.12.12.12)

There is no NAT/PAT setup at the moment when the Inside access the DMZ or vice versa.

Here is the Dilemma:

With the current setup, we are having a problem getting from the INSIDE network to applications on our web server in the DMZ that use an Outside PIN authentication service (Outside means on the the Internet).

The way that PIN works is that a client from the INSIDE Network goes to the web app, and then gets redirected to the OUTSIDE PIN server for authentication. Once authenticated, they are redirected back to the web app with a ticket that includes the authenticated IP address. Our web server compares the authenticated IP address with that of the orginal ip address of client, and denies access if they don't match. The problem is that the ticket contains that outside PAT’d address of the client (12.12.12.12), but the web server is seeing the inside address of the client (10.10.10.x)

I thought if I PAT the inside Network when accessing the DMZ to the same 12.12.12.12 address I would be able to over come the problem since the webserver and the PIN authentication server will see the Inisde client as 12.12.12.12. Is there a better way of doing it?

Thanks again,

Maher

98
Views
0
Helpful
2
Replies
CreatePlease login to create content