topic Re: Policy NAT (Different Outside IP accessing Different DMZ web in Network Security

Policy NAT (Different Outside IP accessing Different DMZ webserver)

bala150985 — Mon, 11 Mar 2019 17:24:36 GMT

This is the topology I am using in my Lab.

Now What I want to attempt is that,

Point1: When a person at the outside box of 10.4.0.128 tries to access http://10.4.0.129 he should see the website hosted at the DMZ0 webserver (10.3.0.130).

Point2: When a personat the outside box of 10.4.0.130 tries to access http://10.4.0.129 he should see the website hosted at the DMZ1 webserver (10.3.0.131).

What are the stuffs which I should enter in this Static Policy Nat, I am breaking my head over this from Saturday night, I got it to work for just DMZ0 from 10.4.0.128 and when I tried adding one more static policy nat for DMZ1 it said that it is clashing with my previous Static Policy NAT of DMZ0.

Re: Policy NAT (Different Outside IP accessing Different DMZ web

Panos Kampanakis — Mon, 22 Mar 2010 20:12:02 GMT

You need 2 rules.

That will not work, the ASA will throw an error

ERROR: mapped-address conflict with existing static

If you change you statement to

Point1: When a person at the outside box of 10.4.0.128 tries to access http://10.4.0.129 he should see the website hosted at the DMZ0 webserver (10.3.0.130).

Point2: When a personat the outside box of 10.4.0.130 tries to access http://10.4.0.229 he should see the website hosted at the DMZ1 webserver (10.3.0.131).

then the config would be

access-l t1 ext perm ip host 10.3.0.130 host 10.4.0.128
access-l t2 ext perm ip host 10.3.0.131 host 10.4.0.130

static (inside,outside) 10.4.0.129 access-l t1
static (inside,outside) 10.40.0.229 access-l t2

The way you want to do it the ASA will not let you map different ip addresses to the same global ip.

I hope it makes it clear.

Re: Policy NAT (Different Outside IP accessing Different DMZ web

Kureli Sankar — Mon, 22 Mar 2010 21:26:57 GMT

Bala,

I see that 10.4.0.129 is the outside interface IP address.

In which case you can do the following static PAT. These statics should have nothing to do with the inside interace. Previous posting accidentally specifies inside interface.

The interfaces involved are dmz and outside. I am assuming these two are two hosts in the dmz segment and not two different dmz interfaces. Your diagram says these are two diff. interfaces but the IP addresses are right next to each other so, I am assuming just one DMZ interface.

static (dmz,outside) tcp interface 8080 10.3.0.130 80 net 255.255.255.255

This above static will grab requests from the outside http://10.4.0.129:8080 and send it to 10.3.0.130 - port 80 to the dmz.

static (dmz,outside) tcp interface 8000 10.3.0.131 80 net 255.255.255.255

This above static will grab requests arriving to http://10.4.0.129:8000 and send it to 10.3.0.131 - port 80 again to the dmz.

Now, in the acl that you have applied on the outside restric that the

host 10.4.0.128 can only talk to 10.4.0.129 on port 8080

and host 10.4.0.130 can only talk to 10.4.0.129 on port 8000.

You should be all set.

-KS

Re: Policy NAT (Different Outside IP accessing Different DMZ web

bala150985 — Tue, 23 Mar 2010 04:54:48 GMT

Thanks-a-lot for responding to my question , I have just one DMZ interface at 10.3.0.129.

I started searching for this question because I heard from someone that it is possible to redirect http two partners with different IP out at the internet trying to hit the same ASA outside interface of 10.4.0.129 to two different internal servers based on their Source IP's.

I have previously done accessing two different webserver by hitting http://10.4.0.129:8080 ----> DMZ0 and http://10.4.0.129:8081 ----> DMZ1 which is just port redirection. However I wanted to know if this is possible even if the port was constant and still be able to differentiate between the two traffic leading them to different webservers.

Technically speaking I thought it was not possible to redirect http request to two different DMZ's by hitting the same outside interface of 10.4.0.129 on port 80, however when we take into account the different source IP's then I believe that it is possible, that is what the STATIC POLICY NAT claims to do. I could be wrong though

Re: Policy NAT (Different Outside IP accessing Different DMZ web

bala150985 — Tue, 23 Mar 2010 13:14:18 GMT

After a lot of search I found this article about NAT on CISCO's website. Which clearly shows that what I wanted could not be achieved.

However I will keep my question as my long term goal to try and see if it is possible. If someone feels that it is not possible kindly try to explain me as to why that is not possible.

Re: Policy NAT (Different Outside IP accessing Different DMZ web

Panos Kampanakis — Tue, 23 Mar 2010 13:29:27 GMT

I can't be done because the ASA will give you an error

ERROR: mapped-address conflict with existing static

The only thing that you can do is to PAT different ports based on the traffic (PAT).

Re: Policy NAT (Different Outside IP accessing Different DMZ web

Kureli Sankar — Tue, 23 Mar 2010 13:35:12 GMT

Bala,

This is not possible or I would have given you the config lines to accomplish that.

Just because you are doing a policy doesn't mean you can do that. It is the same rule whether you use policy or just use static pat.

You cannot receive traffic destined to port 80 on the outside interface and send it to different servers on the dmz.

There are other Cisco devices (Content Service Engines) that can do that so, this feature is not there on the ASA.

-KS