topic Re: NATing two public IPs to one private IP: HOWTO? in Network Security

NATing two public IPs to one private IP: HOWTO?

edwardwaithaka — Mon, 11 Mar 2019 13:27:02 GMT

Hi,

I have an email server hosting two email domains e.g. @sisco.com and @neatco.com each resolved to two different public IPs (MX records etc)

I have a Cisco 5510 ASA firewall at my perimter and now I have the challenge of mapping the two public IPs to my mail server on the internal side.

How can I over come this without having to give the server two separate private IPs for each email domain???

Thanks.

Edd.

Re: NATing two public IPs to one private IP: HOWTO?

andrew.prince — Wed, 06 Aug 2008 14:35:28 GMT

Edd,

mmmmmm I'm pretty sure you cannot do this with a static NAT statements, they would overlap.....but you could try using an alias and see if that would work:-

static (inside,outside) w.w.w.w x.x.x.x netmask 255.255.255.255

alias (inside) y.y.y.y z.z.z.z 255.255.255.255

w.w.w.w = 1st external IP address

x.x.x.x = Internal Server IP

y.y.y.y = Internal Server IP

z.z.z.z = 2ns external IP address#

This is a guess - you will have to test, and it may not work.

HTH>

Re: NATing two public IPs to one private IP: HOWTO?

Marwan ALshawi — Wed, 06 Aug 2008 14:43:22 GMT

lets say ur internal server is in the inside network with ip 192.168.1.1

and u have two public ips

1.1.1.1 and 2.2.2.2

now we gonna map any connection to these ips to that server

static (inside, outisde) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside, outisde) 2.2.2.2 192.168.1.1 netmask 255.255.255.255

if u wanna map only smtp port for example

do:

static (inside, outisde)tcp 1.1.1.1 25 192.168.1.1 25 netmask 255.255.255.255

static (inside, outisde)tcp 25 2.2.2.2 192.168.1.1 25 netmask 255.255.255.255

in this case only connections for tcp 25 will be maped while the first exampel everything will be maped

and if u wanna make for more ports like tcp 25 and other oorts do the same command like for each port

BUT DONT FORGET to make access list that permit traffic coming to ur public ip address and apply it to the outside interface

for the first example here do the forllowing acl

access-list 100 permit ip any host 1.1.1.1

access-list 100 permit ip any host 2.2.2.2

access-group 100 in interface outside

for the second example we gonna allow only spesific port or ports

access-list 100 permit tcp any host 2.2.2.2 eq 25

access-list 100 permit tcp any host 1.1.1.1 eq 25

access-group 100 in interface outside

good luck

please, if helpful Rate

Re: NATing two public IPs to one private IP: HOWTO?

andrew.prince — Wed, 06 Aug 2008 14:52:38 GMT

Try try the below URL - policy based NAT:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00807d2874.shtml

HTH>

Re: NATing two public IPs to one private IP: HOWTO?

edwardwaithaka — Wed, 06 Aug 2008 15:03:20 GMT

Hi marwanshawi,

I dont think this can happen. I get the error;

ERROR: duplicate of existing static

We tried policy nat but that also doesnt work.

Re: NATing two public IPs to one private IP: HOWTO?

JORGE RODRIGUEZ — Wed, 06 Aug 2008 15:17:10 GMT

The policy nat is also an alternative, say rdp and http example

Ex.

Public IPs 200.200.200.1

200.200.200.2

Private IP 192.168.1.1

static (inside,outside) 200.200.200.1 access-list policy_nat_http1

static (inside,outside) 200.200.200.2 access-list policy_nat_rdp1

access-list policy_nat_http1 extended permit ip host 192.168.1.1 any

access-list policy_nat_rdp1 extended permit ip host 192.168.1.1 any

access-list outside_access_in extended permit tcp any host 200.200.200.1 eq 80 log

access-list outside_access_in extended permit tcp any host 200.200.200.2 eq 3389 log

access-group outside_access_in in interface outside

[edit]

for your smtp

replace the acl PNAT name as something like:

policy_nat_smtp1, policy_nat_smpt2, and the respective TCP port 25 in the inbound acl, it should work.. make sure the public Ips are not currently being used by any other system otherwise you will get errors.

Re: NATing two public IPs to one private IP: HOWTO?

dwgrow — Wed, 06 Aug 2008 16:36:12 GMT

have you tried placing two IPs on the Email servers Ethernet card? NAT one external to each Internal IP

Re: NATing two public IPs to one private IP: HOWTO?

Marwan ALshawi — Thu, 07 Aug 2008 09:35:30 GMT

ok lets do a work around

lets say u ur internal mail server ip address is 192.168.1.1

make static nat for this ip to one of the public IPs

then go to ur server give it a secondary IP lets say 192.168.1.10

and then mak another sattic nat maping the second public ip address to that secondary IP

this case will for sure

good lcuk

and let know

Re: NATing two public IPs to one private IP: HOWTO?

JORGE RODRIGUEZ — Thu, 07 Aug 2008 14:25:09 GMT

Marwan & Dennis solution is effective as well and probably the easiest way to go around it.