Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2770
Views
5
Helpful
10
Replies

ASA 1 Public IP to 2 internal Servers using same ports

Go to solution
dragon8_uk
Level 1
Level 1

‎01-09-2019 11:50 AM - edited ‎02-21-2020 08:38 AM

Hi, 

 

I am moving some rules from a checkpoint firewall (r77.30) to an new ASA pair (9.8(2)28

 

one of the rules I have seen has 2 internal hosts sharing the same external IP on the same ports. 

is there anyway to do this on the cisco?

 

e.g.

outside interface 60.50.40.1 is natted to DMZ hosts 10.10.10.1 and 10.10.10.2 on port 22 on the checkpoint 

I can do this 

nat (outside,dmz) source static any any destination static NAT_IP_60.50.40.1 GRP-LAN-PUB no-proxy-arp 

GRP-LAN-PUB would include hosts 10.10.10.1 and 10.10.10.2 

 

not sure thats going to work though. 

 

Any thoughts would be helpful. 

 

Thanks 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Sheraz.Salim

‎01-09-2019 12:24 PM

No it is not possible as the users accessing the servers need a way to differenciate which server they are accessing.  There are two ways of doing this.

1. use different public IPs for the servers

2. use different ports 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

10 Replies 10

Go to solution
Sheraz.Salim
VIP
VIP

‎01-09-2019 12:04 PM

That’s interesting. Does the server have two nick cards? Or is this a load balancer?

 

you can try but I am not sure if they will work unless second IP address is kind of backup IP address.

 

create a object group and bind these two ip addresses in this group. Also make sure your nat rules must be nat(dmz,outside) not nat(outside,dmz)

 

 

please do not forget to rate.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-09-2019 12:08 PM - edited ‎01-09-2019 12:15 PM

Hi,
Not sure how that would work on the Check Point. Does it make 2 unique fake ports to the real port of 22? Therefore making each connection unique?

You could do something like this:-

object nat SRV1
host 10.10.10.1
nat (inside,outside) static 1.1.1.1 service tcp 80 180
access-list OUTSIDE_IN permit tcp any host 10.10.10.1 eq 80

object nat SRV2
host 10.10.10.2
nat (inside,outside) static 1.1.1.1 service tcp 80 280
access-list OUTSIDE_IN permit tcp any host 10.10.10.2 eq 80

 

EDIT: the other option would be to create a source based nat.


HTH

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-09-2019 12:13 PM

@Rob Ingram How about creating a object group and put the host in that group instead of creating two object network?

 

and I never head you can map two RFC1918 ip to one public ip with same ports?

please do not forget to rate.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Sheraz.Salim

‎01-09-2019 12:17 PM

No you can't that I am aware of. My suggestion was to use 2 unique natted IP addresses or potentially you could create a source based nat.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-09-2019 12:16 PM

This is not possible.  The servers themselves can listen on the same port but clients on the internet would need to access these two servers on different ports.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Marius Gunnerud

‎01-09-2019 12:20 PM

@Marius Gunnerud I have not heard this either. Yes you can change the port no that’s possible but two internal ip with same port with one single public ip that’s doesn’t look possible?

please do not forget to rate.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Sheraz.Salim

‎01-09-2019 12:24 PM

No it is not possible as the users accessing the servers need a way to differenciate which server they are accessing.  There are two ways of doing this.

1. use different public IPs for the servers

2. use different ports 

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Sheraz.Salim
VIP
VIP
In response to Marius Gunnerud

‎01-09-2019 12:28 PM

Yes I had similar thoughts too. But thought no warm to test this :-)

 

wonder how it’s possible in check point? I guess this is not possible at all in networks.

please do not forget to rate.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Sheraz.Salim

‎01-09-2019 12:38 PM

from a logical standpoint it is not possible in CheckPoint or any other firewall or router as the requirement still stands that there needs to be a unique IP or unique port.  Would need to see the CheckPoint configuration to understand the setup better.  Perhaps the CheckPoint is performing loadbalancing between the servers.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
dragon8_uk
Level 1
Level 1
In response to Marius Gunnerud

‎01-14-2019 09:10 AM

Thanks for verifying. I am aware of how to do this with 1 IP and different ports or diffrent IP's and the same port. wasn't sure if it was a weird Checkpoint loadbalancing thing.
the checkpoint must be configured incorrectly.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card