https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960583#M144199 <UL> <LI><SPAN style="-webkit-text-size-adjust: 100%;">Thanks for the reply but I don't see how this would allow me to use a non-interface address. The NAT command you have specifies that the NAT is done on the interface address.&nbsp;</SPAN></LI> </UL> <P><SPAN style="-webkit-text-size-adjust: 100%;">Imagine that I have 100.0.0.0/28 as a block of addresses,and my outside interface is using 100.0.0.2. I want to use 100.0.0.3 port 443 to point to one internal server but then have 80 point to another. I don't want to use 100.0.0.2 which is mapped to the outside interface.&nbsp;</SPAN></P> Wed, 14 Dec 2016 02:49:50 GMT Nathan Farrar 2016-12-14T02:49:50Z https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960581#M144197 <P>ASA running 9.1 code. I have a block of IP addresses on the public side. On the inside I have a DMZ and private VLAN. I want to map a specific port to a server in the DMZ on a specific public IP address. This address is not the interface IP address facing the ISP, generally I would do something like:</P> <P></P> <P></P> <P>object network obj_server</P> <P>&nbsp; host 10.1.1.1</P> <P>&nbsp; nat (dmz,outside) static interface service tcp www www</P> <P></P> <P></P> <P>This would map the specific port I want but would only allow me to use the address mapped to the outside interface. The only other way I can map a non-interface IP, that I know of, is:</P> <P></P> <P>object network obj_server</P> <P>&nbsp; host 10.1.1.1</P> <P>&nbsp; nat (dmz,outside) static &lt;outside IP&gt;</P> <P></P> <P></P> <P>This will give me all or none. I could lock it down to one port of course, but I want to be able to use the same non-interface IP for different NAT/PAT to different servers. I would like that non-interface IP to send 443 to one server and then send 80 to a different server.</P> <P></P> <P></P> <P>Thoughts?</P> Tue, 12 Mar 2019 08:39:39 GMT https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960581#M144197 Nathan Farrar 2019-03-12T08:39:39Z https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960582#M144198 <P>Hi ,</P> <P>Try this !!!!</P> <P>Object network webserv_ip_insid</P> <P>Host 192.168.10.10</P> <P>Nat (Dmz_int,Out_int) dynamic interface service tcp 443 443</P> <P>Access-list out_to_dmz extended permit tcp any object&nbsp;<SPAN>webserv_ip_insid eq 443&nbsp;</SPAN></P> <P><SPAN>Access-group&nbsp;out_to_dmz in interface Dmz_int&nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Hope this will help ....</SPAN></P> Wed, 14 Dec 2016 00:54:05 GMT https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960582#M144198 MANI .P 2016-12-14T00:54:05Z https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960583#M144199 <UL> <LI><SPAN style="-webkit-text-size-adjust: 100%;">Thanks for the reply but I don't see how this would allow me to use a non-interface address. The NAT command you have specifies that the NAT is done on the interface address.&nbsp;</SPAN></LI> </UL> <P><SPAN style="-webkit-text-size-adjust: 100%;">Imagine that I have 100.0.0.0/28 as a block of addresses,and my outside interface is using 100.0.0.2. I want to use 100.0.0.3 port 443 to point to one internal server but then have 80 point to another. I don't want to use 100.0.0.2 which is mapped to the outside interface.&nbsp;</SPAN></P> Wed, 14 Dec 2016 02:49:50 GMT https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960583#M144199 Nathan Farrar 2016-12-14T02:49:50Z https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960584#M144201 <P></P> <P>I hope this will help you ...</P> <P>--------------------------------------------------------------------------</P> <P>object network 443_server<BR />192.168.10.10<BR />nat (dmz_int , Out_int) static 100.0.0.3 service tcp 443 443</P> <P>object network 80_server<BR />192.168.10.11<BR />nat (dmz_int , Out_int) static 100.0.0.3 service tcp 80 80</P> <P>------------------------------------------------------------------------------</P> <P>Access-list out_to_dmz extended permit tcp any object <SPAN>443_server</SPAN><SPAN>&nbsp;eq 443&nbsp;</SPAN></P> <P><SPAN>Access-list out_to_dmz extended permit tcp any object<SPAN> 80_server&nbsp;</SPAN><SPAN>eq 443</SPAN></SPAN></P> <P><SPAN>Access-group&nbsp;out_to_dmz in interface Dmz_int&nbsp;</SPAN></P> <P><SPAN>---------------------------------------------------</SPAN></P> <P><SPAN>Please rate me if this help you .</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Thanks&nbsp;</SPAN></P> <P><SPAN>Mani.</SPAN></P> Wed, 14 Dec 2016 05:06:51 GMT https://community.cisco.com/t5/network-security/asa-nat-non-interface-ip/m-p/2960584#M144201 MANI .P 2016-12-14T05:06:51Z