topic Re: ASA 5520 / NAT Problem in Network Security

ASA 5520 / NAT Problem

slade — Fri, 21 Feb 2020 08:38:40 GMT

Hello, is it possible to have the ASA 'listen' on two public IP addresses, but connections initiated TO either of those public addresses are directed to a SINGLE host behind the firewall?

Also, the connections would all be going to a single service (telnet), not multiple services.

Thanks much.

Re: ASA 5520 / NAT Problem

jackko — Mon, 16 Jan 2006 00:08:50 GMT

it's not feasible.

e.g.

static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 23 192.168.1.1 23 netmask 255.255.255.255

imagine a telnet session is initiated from the outside. asa receives the packet destined for 1.1.1.1 with tcp port 23. asa then looks up the static and forwords the packet to 192.168.1.1. now, the return traffic from 192.168.1.1 received by asa. asa will be confused because asa is not able to determine which static should be used.

further, you may configure the telnet server to listen on multiple port. by default, telnet server listen to tcp port 23. providing the telnet server listen to both tcp port 23 and tcp port 10000, then the issue should be resolved.

e.g. static (inside,outside) tcp 1.1.1.1 23 192.168.1.1 23 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 10000 192.168.1.1 10000 netmask 255.255.255.255

then the user from outside would need to do "telnet 1.1.1.2 10000" instead of "telnet 1.1.1.2".

Re: ASA 5520 / NAT Problem

slade — Mon, 16 Jan 2006 15:13:21 GMT

Then this is a NAT limitation with Cisco. Checkpoint does not have this limitation.

Re: ASA 5520 / NAT Problem

jackko — Tue, 17 Jan 2006 02:45:39 GMT

i believe it's feasible if the ip of the other end is known, then you can configure policy nat.

otherwise i'm not too sure how the firewall can make a decision on which ip should be used for nat.

for more detail in configuring policy nat:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008052564b.html#wp1042553

Re: ASA 5520 / NAT Problem

slade — Wed, 18 Jan 2006 03:32:50 GMT

Yep, it is possible through policy NAT. However, you can't combine one static and then add a policy NAT. There will still be the 'overlapping' address problem. The solution is to create two policy nats.

My original post was regarding unknown (any) source hosts coming inbound to a host behind the ASA.

Today we were hit with another similar problem only this time we knew all the host addresses (sources inbound from the public side). Policy NAT did work in this case.

We are going to test using 'any' as the source inbound to see if we can resolve the other issue. I think as long as there is not an existing static NAT that would conflict, it is possible.

Thanks much.