Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
4
Replies

Nat two identical services on interface Public Address

Go to solution
MarcoM
Level 1
Level 1

‎12-18-2013 07:48 AM - edited ‎03-11-2019 08:20 PM

Hi all,

can i nat two internal address with same services on one public interface address?

I have an ASA 5515-X and i want to nat two services, tcp\80, on same ip public interface address:

object network Owa-Interno

host 10.0.1.4

object network Sito-Interno

host 10.0.1.8

nat (INSIDE,OUTSIDE) source static Owa-Interno interface service http http

nat (INSIDE,OUTSIDE) source static Sito-Interno interface service http http

!

object network INSIDE-LAN

nat (any,OUTSIDE) dynamic interface

Thanks in advance.

M

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to MarcoM

‎12-18-2013 08:44 AM

yes, that looks (nearly) fine. An improvement is to change your two HTTP and HTTPS-rules to object-NAT instead of twice-NAT:

object network Owa-Interno

  host 10.0.1.4

  nat (INSIDE,OUTSIDE) static interface service tcp https https

object network Sito-Interno

  host 10.0.1.8

  nat (INSIDE,OUTSIDE) static interface service tcp http http


-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎12-18-2013 08:05 AM

No, that can't work. On the public side, both services have to be accessed by different ports. For example TCP/80 for server1 and TCP/81 for server2. Internally, both servers can run on TCP/80.

If it is important that both servers are reachable with TCP/80 and you only have one public IP, then an internal reverse-proxy could be the solution. This proxy takes all incoming HTTP-traffic and distributes the traffic to the internal servers based on the requested FQDN.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
MarcoM
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2013 08:32 AM

Hi Karsten,

thanks for reply, you confirmed that can not use.

Another question, with this configuration static nat and vpn should work correctly right:

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 217.51.xxx.xxx 255.255.255.240

object network INSIDE-LAN

subnet 10.0.0.0 255.0.0.0

object network Owa-Interno

host 10.0.1.4

object network Sito-Interno

host 10.0.1.8

object network Rete_VpnAnyconnect

subnet 172.16.1.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static Owa-Interno interface service https https

nat (INSIDE,OUTSIDE) source static Sito-Interno interface service http http

nat (INSIDE,OUTSIDE) source static INSIDE-LAN INSIDE-LAN destination static Rete_VpnAnyconnect Rete_VpnAnyconnect no-proxy-arp route-lookup

!

object network INSIDE-LAN

nat (any,OUTSIDE) dynamic interface

Thanks.

M

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to MarcoM

‎12-18-2013 08:44 AM

yes, that looks (nearly) fine. An improvement is to change your two HTTP and HTTPS-rules to object-NAT instead of twice-NAT:

object network Owa-Interno

  host 10.0.1.4

  nat (INSIDE,OUTSIDE) static interface service tcp https https

object network Sito-Interno

  host 10.0.1.8

  nat (INSIDE,OUTSIDE) static interface service tcp http http


-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
MarcoM
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2013 10:40 PM

Thanks Karsten.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card