topic Re: Natted and Physical IP access in Network Security

Natted and Physical IP access

santoshm_75 — Mon, 11 Mar 2019 14:59:20 GMT

Hi,

I am using ASA 5580 with software Version 8.1(2). Could it be possible to access the NATTED IP address and also the physical IP address at the same time from the host.

Re: Natted and Physical IP access

santoshm_75 — Mon, 02 Mar 2009 16:20:48 GMT

Hi,

My requirement is different then what you have mentioned. In the configuration what you have mentioned if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible?

If possible then send some write up and also any cisco site reference.

Regards,

Re: Natted and Physical IP access

JORGE RODRIGUEZ — Wed, 04 Mar 2009 18:15:46 GMT

Sure you can, depending what is your scenarion , but generally you can use same-security-traffic permit intra-interface command in conjuction with specific nat statement , and connect to the NAted address from where you are sourcing the local host . This is also known as hairpining .

Regards

Re: Natted and Physical IP access

santoshm_75 — Thu, 05 Mar 2009 14:16:20 GMT

Hi,

I have all the intra interfaces with differenet level of secuity, then also can it be possible.

If possible Please let me know some write up or any cisco write up details for reference.

Regards,

Re: Natted and Physical IP access

JORGE RODRIGUEZ — Thu, 05 Mar 2009 16:54:05 GMT

Typical scenario

say :

inside host 20.20.20.1/24 - Its public IP 100.100.100.1 for outside

Typically you would have one-to-one NAT

static (inside/outside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255

now you want local hosts in the 20.20.20.0/24 subnet access 100.100.100.1 which is maped to 20.20.20.1

same-security-traffic permit intra-interface

static (inside,inside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255

and allow inbound rules for 100.100.100.1

so inside hosts under 20.20.20.0/24 can access 20.20.20.1 localy as well as 100.100.100.1 from inside interface

Here is some reference on hairpining

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Regards

PLS rate any helpful posts if it helps

Re: Natted and Physical IP access

Jon Marshall — Fri, 06 Mar 2009 12:58:14 GMT

Santosh

Just to clarify what you are asking.

Server = real IP address = 192.168.5.1

Natted IP address = 172.16.5.1

Are you asking if from a client host you can connect to both 172.16.5.1 and 192.168.5.1 on the same port ?

If so no you can't. It's one or the other.

Jon

Re: Natted and Physical IP access

JORGE RODRIGUEZ — Fri, 06 Mar 2009 13:26:34 GMT

if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible

Santosh,

Im not quite sure I understand your requirements which it seemed to me from your initial post a hairpining requirement. I would like to know what application prompts you to have this type of settings, perhaps if you could provide in detail what this requiremen entails in terms of TCP/UDP services I could provide better answer.

Regards

Re: Natted and Physical IP access

santoshm_75 — Fri, 06 Mar 2009 13:27:37 GMT

Hi,

Find the details of requirement.

Inside IP : 172.16.0.0/24

Host: 172.16.1.10

Nannted IP: 192.168.1.10

Outside IP: 192.168.1.0/24

Host: 192.168.1.20

now my requirement is from host 192.168.1.20 can I access 192.168.1.10 and also 172.16.1.10.

Hi Jon: Its the customers requirement for SAP application and also for your reference this is working in checkpoint now. We are replacing ASA-5580 in the place of checkpoint.

Could it possible?

Regards,

Re: Natted and Physical IP access

Jon Marshall — Fri, 06 Mar 2009 13:40:09 GMT

Santosh

If you are trying to access the 172.16.1.10 and 192.168.1.10 from outside using the same application port number you cannot do this on the ASA. I understand you can do this with Checkpoint but NAT functionality differs between firewalls.

Jon