topic Re: NAT on multihoming edge ASA in Network Security

NAT on multihoming edge ASA

yuening liao — Mon, 11 Mar 2019 21:12:58 GMT

hello

as following topology showing, we have multiple public addresses from different ISP. now we need map those public ( inside global ) addresses to single private ( inside local ) address, which assigned to a server, so that user from internet can reach this server.

the public address is 7.7.7.7, 8.8.8.8, 9.9.9.9.

the nat config is:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

after user ping those pubic addresses, the show nat outside displayed that the nat seems work well

ciscoasa(config)# sh nat outside

match ip outside host 20.0.0.200 inside any

static translation to 10.0.0.2

translate_hits = 20, untranslate_hits = 0

but ping still failed

p.s., i have configured icmp inspection and static route for traffic destined to those public addresses also added.

S 7.7.7.7 255.255.255.255 [1/0] via 10.0.0.100, inside

S 8.8.8.8 255.255.255.255 [1/0] via 10.0.0.100, inside

S 9.9.9.9 255.255.255.255 [1/0] via 10.0.0.100, inside

thanks for your reply!

NAT on multihoming edge ASA

varrao — Wed, 17 Aug 2011 08:18:36 GMT

Hi,

If I understand it correctly, you have 3 ISP connections on the terminated on to the outside interface of the ASA (R2,R3,R4)???

You want to map the internal host 20.0.0.200 to three different public ip's ( 7.7.7.7, 8.8.8.8, 9.9.9.9)???

Well on the ASA you cannot do policy based routing and can only have one default route on the ASA, so this might be tough, moreover can you explain me, y do you have this nat:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

Please be aware that the return packets would always be directed towards the default gateway.

It would be helpful if you can provide your config from ASA.

Thanks,

Varun

Re: NAT on multihoming edge ASA

yuening liao — Wed, 17 Aug 2011 09:24:19 GMT

Hi Varun,

thanks for your reply, the 7.7.7.7, 8.8.8.8, 9.9.9.9 is our public ip, but 20.0.0.200 is the connected address of R2, which represents a user from internet.

pls find the config of ASA

NAT on multihoming edge ASA

praprama — Wed, 31 Aug 2011 19:41:37 GMT

Hi,

Your requirement is still confusing. You mention you want outside users to be able to access an inside server using 3 different IP addresses (7.7.7.7, 8.8.8.8 and 9.9.9.9).

If that's your requirement, on ASA 8.2 unfortunately that's not really possible though there is a way to "fool" the firewall to get it working:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

frankly, i have seen this to not work in quite a few occasions. Are you going to perform NAT on the ASA or on an inside router? If it's on the ASA, you do not need the following routes:

route inside 7.7.7.7 255.255.255.255 10.0.0.100 1

route inside 8.8.8.8 255.255.255.255 10.0.0.100 1

route inside 9.9.9.9 255.255.255.255 10.0.0.100 1

Regards,

Prapanch