Hello, just wondering if anyone has done this and might have some tips, please ?

Due to an ftp (sftp) server migration a developer has asked me if:

For outgoing connections, the new server and the old server, say ip's = S1 and S2, can use the same existing public ip that S1 currently uses, say ip = P1. (He doesn't want the external suppliers to have change their firewall rules - he says there are only about 6 external suppliers)

For incoming unsolicited connections, the servers can also share this same ip P1 (using the same port = tcp 22).

The existing server has an existing simple static auto nat such that for both o/g and i/c connections, S1<=>P1.

e.g. (using S1 and P1 for the host ip addresses)

object network obj-S1

host S1
nat (dmz1,outside) static P1

My initial thought was 'no' but out of curiosity I'm wondering if the following would work:

a. Remove the existing nat

b. Add new twice nats so that each external supplier, say X1 to X6 can be migrated in turn such that we'd have as a first step

X1 is routed via P1 to S2

X2 to X6 are routed via P1 to S1 (as existing).

e.g.

object network obj-S1

host S1

object network obj-S2

host S2

object network obj-P1

host P1

object network obj-X1

host X1 - (might be a range but using single hosts for simplicity)

object network obj-X2

host X2

object network obj-X3

host X3

etc..

then

nat (dmz1,outside) source static obj-S2 obj-P1 destination static obj-X1 obj-X1

nat (dmz1,outside) source static obj-S1 obj-P1 destination static obj-X2 obj-X2

nat (dmz1,outside) source static obj-S1 obj-P1 destination static obj-X3 obj-X3

nat (dmz1,outside) source static obj-S1 obj-P1 destination static obj-X4 obj-X4

etc.

Thanks in advance for any suggestions.

I wouldn't consider this if there weren't just a few external suppliers and even writing it out like this makes me think he should just tell the suppliers to add the new server.

Thanks again.