topic ASA Static PAT to multiple private IPs in Network Security

ASA Static PAT to multiple private IPs

Mokhalil82 — Tue, 12 Mar 2019 06:02:47 GMT

I am in the process of replacing some Watchguard firewalls with ASA firewalls. I have noticed a few static NAT rules on the Watchguard using the same public IP address but each NAT uses a different private IP Address.

e.g

98.98.98.1 > 192.168.10.1

98.98.98.1 > 192.168.10.5

98.98.98.1 > 192.168.10.20

98.98.98.1 > 192.168.10.44

How would I add this into an ASA. This is for external hosts trying to access internal servers on the one external IP but mapped to different internal IPs.

Would a standard PAT work using the different internal IPs to PAT to the single external IP.

Thanks

if you did a PAT then the

jmattbullen — Thu, 04 Jun 2015 01:09:03 GMT

You could PAT say port 8080,8081,etc and translate that to 80 on the inside but you'd need to make sure you set it up the same way as watchguard. I assume watchguard does NAT the same way as ASA and just reads down the list. with the way you describe it, unless there was something to differentiate the NATs it would hit the first one only

I would first check to see if all the 192.168.10.x hosts are even live. most likely some are not if you are replacing an old firewall.

secondly, would these IPs happen to be in a cluster? If so, I have had to do a static nat to the VIP of the cluster so the outside world could talk to it but then also do dynamic nat for the individual cluster members. This is because the cluster members would use their own IP to initiate outbound traffic.

ThanksI will go through and

Mokhalil82 — Fri, 05 Jun 2015 07:26:04 GMT

Thanks

I will go through and see what hosts are actually live, looks like many old rules so il tidy them up before moving further. I am order a new larger external ip address range so I may just NAT them out to individual IPs instead of doing the port address translations