Solved: Need to Nat 3 PUBLIC IPs to 1 PRIVATE IP

macgyver0099_1 · ‎04-08-2019

Hi,

I have a Cisco ASA-x 5525. I've just been presented with a request from one of our conferencing application vendors. Specifically, they want to assign 3 public IPs to a server (one each to a NIC), which will point to only one private IP via specific, non-redundant TCP ports. I have see this done with PAT by taking several private IPs and natting them to one public IPs, but I've never seen it with one private IP being mapped to several public IPs. Can this be done? If so, can it be done by statically mapping with several TCP ports or does it need a dynamic mapping?

Rob Ingram · ‎04-08-2019

Hi,

Here is an example, just create a new object with a different static IP address (public ip) and change the ports as required. Make sure you add entries in the ACL using the real IP address (not the public IP) and the real port.

object network HOST-80
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp www www
object network HOST-443
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp 443 443

object network HOST-81
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.13 service tcp 81 81

HTH

View solution in original post

balaji.bandi · ‎04-08-2019

yes.. below was the same example you trying to achieve is this correct ?

Public x.x.x.x port 80 ---- z.z.z.z

Public y.y.y.y port 81 ---- z.z.z.z

Public a.a.a.a port 82 ---- z.z.z.z

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

macgyver0099_1 · ‎04-08-2019

Hi,

Thank you for your response. That's very close. Actually, we are looking at a couple of ports per IP:

Public x.x.x.x port 80, 443 ---- private z.z.z.z

Public y.y.y.y port 81, 8443, 4095 ---- private z.z.z.z

Public a.a.a.a port 82, 493, 9162 ---- private z.z.z.z

balaji.bandi · ‎04-08-2019

Make sure Private IP have unique ports too(until you want all the port in to one port - i belive this not your requirement i guess). the example looks good, test and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

macgyver0099_1 · ‎04-08-2019

Does anyone have a specific example of what that configuration might look like?

Rob Ingram · ‎04-08-2019

Hi,

Here is an example, just create a new object with a different static IP address (public ip) and change the ports as required. Make sure you add entries in the ACL using the real IP address (not the public IP) and the real port.

object network HOST-80
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp www www
object network HOST-443
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.12 service tcp 443 443

object network HOST-81
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.13 service tcp 81 81

HTH

balaji.bandi · ‎04-09-2019

here is example for reference : test one at a time, so any issue you can able to understand.

x.x.x.x
========

object network Internal-IP
host z.z.z.z

object network External-IP-1
host x.x.x.x

object service http
service tcp source eq 80

object service https
service tcp source eq 443

nat (inside,outside) source static Internal-IP External-IP-1 service http http
nat (inside,outside) source static Internal-IP External-IP-1 service https https

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dennis Mink · ‎04-09-2019

Just out of interest. Because there are no overlapping ports. Why the requirement of 3separate public ips?

Please remember to rate useful posts, by clicking on the stars below.