Is this the correct way to NAT to two different interfaces in ASA 8.4(2)?

colin.nguyen — Mon, 11 Mar 2019 21:28:17 GMT

We just upgraded our ASA 5520 from 8.2 to 8.4(2) and I am just now getting familliar with the new config. We have an inside, outside, and DMZ interface. There is a web server in the DMZ with IP 10.6.129.5. I would like to NAT this address to a public internet IP that we own, so that users coming in from the outside can hit it. Let's say that the public IP on the outside is 172.16.129.5. I would also like my Inside users on the private LAN who are trying to hit 172.16.129.5 accomplish the same thing as users coming from the Outside. So is this a supported config?

object network obj-10.6.129.5

host 10.6.129.5

object network obj-10.6.129.5-01

host 10.6.129.5

object network obj-10.6.129.5

nat (dmz,outside) static 172.16.129.5

object network obj-10.6.129.5-01

nat (dmz,inside) static 172.16.129.5

access-list acl-outside extended permit tcp any host 10.6.129.5 eq 80

access-list acl-inside extended permit tcp any host 10.6.129.5 eq 80

When I enter the config into the ASA, it took the commands and everything works as desired. But I remember from the PIX world that NATing the same address to two different interfaces on the firewall causes intermittent problems. I would just like to know if what I am doing here on the ASA 8.4(2) is a supported config. Thanks.

Is this the correct way to NAT to two different interfaces in AS

Julio Carvajal — Thu, 22 Sep 2011 01:04:09 GMT

Hello Colin,

Yes, this is supported, the configuration its fine, you are not going to have problems with that.

Best Regards,

Julio

topic Is this the correct way to NAT to two different interfaces in ASA 8.4(2)? in Network Security

Is this the correct way to NAT to two different interfaces in ASA 8.4(2)?

Is this the correct way to NAT to two different interfaces in AS