Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Single nat for cluster of inside ips

This is with a ASA5020 (8.1(5))

This is the nat I have today:

global (outside) 1 66.xx.xx.135 netmask

static (inside,outside) 66.xx.xx.153 netmask

This works great .67 is a smtp server that only SENDS email out.

What I want todo is to have a load-balancer on the inside that sends traffic to multiple smtp servers 2-3. I want 66.xx.xx.153 from outside to inside to go to port 25 on our loadbalancer and I also want all our internal smtp servers to leave our firewall natted behind 66.xx.xx.153.. So something like

static (inside,outside) 66.xx.xx.153 netmask

static (inside,outside) 66.xx.xx.153 netmask

static (inside,outside) 66.xx.xx.153 netmask

Is this possible?

Reason is that all emails should be revearsed dns to 66.xx.xx.153

Everyone's tags (2)
Cisco Employee

Single nat for cluster of inside ips

No it is not possible, you can only static NAT 1 public IP to 1 private/real IP.


Re: Single nat for cluster of inside ips

Jennifer is correct as far as statically natting your 3 email servers to the single external interface - it's not possible.

However - let me get this straight.

* You have a single load balancer server that you wish to RECEIVE email on, which will then deliver that email to 3 internal servers?

     Just port map port 25 on 63.xx.xx.153 to port 25 on (your load balancer) Something like this:

static (inside,outside) tcp 63.xx.xx.153 smtp smtp  netmask

* You have 3 internal servers that you want to SEND email from directly to external servers and have them reverse DNS to your external IP 63.xx.xx.153?

Allow your 3 servers to connect to anything on port 25 through your global nat policy, something like this:

access-list acl_out extended permit tcp EMAIL_SERVER_GROUP any eq smtp

I assume you already have an internal to external internet connection (global NAT policy), so this will mean external receiving email servers will see your internal servers connecting to them from 63.xx.xx.153.

What wouldnt be possible is having your 3 mail servers sending AND receiving on your single external IP address, but the above scenario is fine because you are only receiving email to one server (your load balancer). The 3 sending servers only need to be allowed to send out the firewall.

Your better off posting your current config and then Jennifer or one of the other experts will be able to tell you the exact commands you'd need to achieve this..

NOTE: You should really also consider having your load balancer sitting in a DMZ, as that is essentially open to the world, so in a production environment that should be sitting in a completely separate network, if you have extra physical ports on your firewall then plug your load balancer into that


Re: Single nat for cluster of inside ips

PS - It's always better to port map a single port/ports when you need them - don't do a static 1to1 nat for your servers or hosts as they are effectively completely open to the internet and it is almost pointless having a firewall in place if you do that.

Rising star

Re: Single nat for cluster of inside ips

I guess we can achieve this concept through PAT overloading and loadbalancing. i.e. Translating Rotary Addresses concept to achieve this. Am not sure this would help you. but you can try it around.