Hello, just wondering if anyone has done this and might have some tips, please ?
Due to an ftp (sftp) server migration a developer has asked me if:
For outgoing connections, the new server and the old server, say ip's = S1 and S2, can use the same existing public ip that S1 currently uses, say ip = P1. (He doesn't want the external suppliers to have change their firewall rules - he says there are only about 6 external suppliers)
For incoming unsolicited connections, the servers can also share this same ip P1 (using the same port = tcp 22).
The existing server has an existing simple static auto nat such that for both o/g and i/c connections, S1<=>P1.
e.g. (using S1 and P1 for the host ip addresses)
object network obj-S1
host S1 nat (dmz1,outside) static P1
My initial thought was 'no' but out of curiosity I'm wondering if the following would work:
a. Remove the existing nat
b. Add new twice nats so that each external supplier, say X1 to X6 can be migrated in turn such that we'd have as a first step
X1 is routed via P1 to S2
X2 to X6 are routed via P1 to S1 (as existing).
object network obj-S1
object network obj-S2
object network obj-P1
object network obj-X1
host X1 - (might be a range but using single hosts for simplicity)
Managed to get hold of a spare small ASA (5506) and tried this - worked OK. Didn't need to remove the existing object auto NAT as the new manual twice NATs take precedence. We're not translating the external ip but need to match on it. So suppliers can be migrated one by one if needed.
Gartner has once again named Cisco a Leader in the Magic Quadrant for Network Firewalls. This distinction recognizes Cisco's ingenuity in redefining the firewall as the basis for an integrated security platform.
Find out how Cisco stands out from the comp...
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...