04-08-2019 12:50 PM
Hi,
I have a Cisco ASA-x 5525. I've just been presented with a request from one of our conferencing application vendors. Specifically, they want to assign 3 public IPs to a server (one each to a NIC), which will point to only one private IP via specific, non-redundant TCP ports. I have see this done with PAT by taking several private IPs and natting them to one public IPs, but I've never seen it with one private IP being mapped to several public IPs. Can this be done? If so, can it be done by statically mapping with several TCP ports or does it need a dynamic mapping?
Solved! Go to Solution.
04-08-2019 03:26 PM
Hi,
Here is an example, just create a new object with a different static IP address (public ip) and change the ports as required. Make sure you add entries in the ACL using the real IP address (not the public IP) and the real port.
object network HOST-80
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp www www
object network HOST-443
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp 443 443
object network HOST-81
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.13 service tcp 81 81
HTH
04-08-2019 01:00 PM
yes.. below was the same example you trying to achieve is this correct ?
Public x.x.x.x port 80 ---- z.z.z.z
Public y.y.y.y port 81 ---- z.z.z.z
Public a.a.a.a port 82 ---- z.z.z.z
04-08-2019 01:31 PM
Hi,
Thank you for your response. That's very close. Actually, we are looking at a couple of ports per IP:
Public x.x.x.x port 80, 443 ---- private z.z.z.z
Public y.y.y.y port 81, 8443, 4095 ---- private z.z.z.z
Public a.a.a.a port 82, 493, 9162 ---- private z.z.z.z
04-08-2019 02:07 PM - edited 04-08-2019 02:07 PM
Make sure Private IP have unique ports too(until you want all the port in to one port - i belive this not your requirement i guess). the example looks good, test and advise.
04-08-2019 02:30 PM
Does anyone have a specific example of what that configuration might look like?
04-08-2019 03:26 PM
Hi,
Here is an example, just create a new object with a different static IP address (public ip) and change the ports as required. Make sure you add entries in the ACL using the real IP address (not the public IP) and the real port.
object network HOST-80
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp www www
object network HOST-443
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp 443 443
object network HOST-81
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.13 service tcp 81 81
HTH
04-09-2019 12:23 AM
here is example for reference : test one at a time, so any issue you can able to understand.
x.x.x.x
========
object network Internal-IP
host z.z.z.z
object network External-IP-1
host x.x.x.x
object service http
service tcp source eq 80
object service https
service tcp source eq 443
nat (inside,outside) source static Internal-IP External-IP-1 service http http
nat (inside,outside) source static Internal-IP External-IP-1 service https https
04-09-2019 03:49 AM
Just out of interest. Because there are no overlapping ports. Why the requirement of 3separate public ips?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide