https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532094#M616207 <HTML><HEAD></HEAD><BODY><P>Thanks. Apologize if my question was not clear.</P><P></P><P>Taking the eg. that you have stated, our policy needs me to use the same public IP for this server host 1.1.1.1 when going out to internet &amp; use the same public IP&nbsp; for inbound connections to this server initiated by any source from the internet.</P><P></P><P>TIA.</P><P></P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 17 Nov 2010 14:24:32 GMT suthomas1 2010-11-17T14:24:32Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532092#M616203 <P>One of the server host uses the same internet ip to get on to internet and also receive the request from internet to itself. this was done for address space restraint. But a recent security audit has forced to seperate the communication for this server using a single internet registered ip both ways.</P><P></P><P>i.e server host 10.19.2.2 will use internet IP X.X.X.X for internet bound data from itself &amp; the same X.X.X.X internet IP will be used to reach this host when any other host on internet needs to start a new connection to 10.19.2.2.</P><P></P><P>Insights into how best,this can be achieved, will be helpful.</P><P></P><P>TIA.</P> Mon, 11 Mar 2019 19:10:32 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532092#M616203 suthomas1 2019-03-11T19:10:32Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532093#M616205 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to do this on ASA you can do the following:</P><P></P><P>static (in,out) tcp 2.2.2.2 80 1.1.1.1 80</P><P></P><P>nat (inside) 1 1.1.1.1 255.255.255.255</P><P>global (outside) 1 2.2.2.3</P><P></P><P>The above example assumes the following:</P><P></P><P>Inbound connections to the server (1.1.1.1) will use the NAT IP (2.2.2.2) when the requests comes on port 80.</P><P>Outbound traffic from the server will use (2.2.2.3) to get to the Internet.</P><P></P><P>Hope it helps.</P><P></P><P>Federico.</P></BODY></HTML> Wed, 17 Nov 2010 14:07:53 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532093#M616205 Federico Coto Fajardo 2010-11-17T14:07:53Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532094#M616207 <HTML><HEAD></HEAD><BODY><P>Thanks. Apologize if my question was not clear.</P><P></P><P>Taking the eg. that you have stated, our policy needs me to use the same public IP for this server host 1.1.1.1 when going out to internet &amp; use the same public IP&nbsp; for inbound connections to this server initiated by any source from the internet.</P><P></P><P>TIA.</P><P></P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 17 Nov 2010 14:24:32 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532094#M616207 suthomas1 2010-11-17T14:24:32Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532095#M616208 <HTML><HEAD></HEAD><BODY><P>In that case you can modify the configuration to this:</P><P></P><P>static (in,out) 2.2.2.2 1.1.1.1</P><P></P><P>The above command will always translate 1.1.1.1 to 2.2.2.2 for inbound or outbound trafffic.</P><P></P><P>Federico.</P></BODY></HTML> Wed, 17 Nov 2010 14:26:25 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532095#M616208 Federico Coto Fajardo 2010-11-17T14:26:25Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532096#M616209 <HTML><HEAD></HEAD><BODY><P>so the static line will accomplish the task for both inbound &amp; outbound using same ip.</P><P>and i would say there needs to be an acl on the outside interface for the incoming new request. would this static and rule hold true for both tcp &amp; udp connections.</P><P></P><P>Appreciate your help. Thanks.</P></BODY></HTML> Wed, 17 Nov 2010 14:35:50 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532096#M616209 suthomas1 2010-11-17T14:35:50Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532097#M616210 <HTML><HEAD></HEAD><BODY><P>Correct.</P><P>The static will hold true for TCP and UDP connections.</P><P>Also, to allow incoming traffic you require the ACL as you mentioned. </P><P></P><P>Federico.</P></BODY></HTML> Wed, 17 Nov 2010 14:37:31 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532097#M616210 Federico Coto Fajardo 2010-11-17T14:37:31Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532098#M616211 <HTML><HEAD></HEAD><BODY><P>Thanks, last query , to check these connections when in use , would sh conn and sh xlate be appropriate commands . Or any other command for this.</P></BODY></HTML> Wed, 17 Nov 2010 14:47:15 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532098#M616211 suthomas1 2010-11-17T14:47:15Z https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532099#M616212 <HTML><HEAD></HEAD><BODY><P>Correct.</P><P>To check the translations (layer 3) you use sh xlate</P><P>To check the connections (layer 4) you use sh conn (sh conn state/sh conn det)</P><P></P><P>Since you have a static one-to-one NAT, there's going to be a single XLATE with multiple connections for that particular host.</P><P></P><P>Federico.</P></BODY></HTML> Wed, 17 Nov 2010 14:49:56 GMT https://community.cisco.com/t5/network-security/server-ip-translation-with-asa/m-p/1532099#M616212 Federico Coto Fajardo 2010-11-17T14:49:56Z