cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
369
Views
0
Helpful
10
Replies
Highlighted
Beginner

ASA 1 Public IP to 2 internal Servers using same ports

Hi, 

 

I am moving some rules from a checkpoint firewall (r77.30) to an new ASA pair (9.8(2)28

 

one of the rules I have seen has 2 internal hosts sharing the same external IP on the same ports. 

is there anyway to do this on the cisco?

 

e.g.

outside interface 60.50.40.1 is natted to DMZ hosts 10.10.10.1 and 10.10.10.2 on port 22 on the checkpoint 

I can do this 

nat (outside,dmz) source static any any destination static NAT_IP_60.50.40.1 GRP-LAN-PUB no-proxy-arp 

GRP-LAN-PUB would include hosts 10.10.10.1 and 10.10.10.2 

 

not sure thats going to work though. 

 

Any thoughts would be helpful. 

 

Thanks 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

No it is not possible as the users accessing the servers need a way to differenciate which server they are accessing.  There are two ways of doing this.

1. use different public IPs for the servers

2. use different ports 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

10 REPLIES 10
Highlighted
VIP Engager

Re: ASA 1 Public IP to 2 internal Servers using same ports

That’s interesting. Does the server have two nick cards? Or is this a load balancer?

 

you can try but I am not sure if they will work unless second IP address is kind of backup IP address.

 

create a object group and bind these two ip addresses in this group. Also make sure your nat rules must be nat(dmz,outside) not nat(outside,dmz)

 

 

please do not forget to rate.
Highlighted
RJI Advisor
Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

Hi,
Not sure how that would work on the Check Point. Does it make 2 unique fake ports to the real port of 22? Therefore making each connection unique?

You could do something like this:-

object nat SRV1
host 10.10.10.1
nat (inside,outside) static 1.1.1.1 service tcp 80 180
access-list OUTSIDE_IN permit tcp any host 10.10.10.1 eq 80

object nat SRV2
host 10.10.10.2
nat (inside,outside) static 1.1.1.1 service tcp 80 280
access-list OUTSIDE_IN permit tcp any host 10.10.10.2 eq 80

 

EDIT: the other option would be to create a source based nat.


HTH

Highlighted
VIP Engager

Re: ASA 1 Public IP to 2 internal Servers using same ports

@RJI How about creating a object group and put the host in that group instead of creating two object network?

 

and I never head you can map two RFC1918 ip to one public ip with same ports?

please do not forget to rate.
Highlighted
RJI Advisor
Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

No you can't that I am aware of. My suggestion was to use 2 unique natted IP addresses or potentially you could create a source based nat.
Highlighted
VIP Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

This is not possible.  The servers themselves can listen on the same port but clients on the internet would need to access these two servers on different ports.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
VIP Engager

Re: ASA 1 Public IP to 2 internal Servers using same ports

@Marius Gunnerud I have not heard this either. Yes you can change the port no that’s possible but two internal ip with same port with one single public ip that’s doesn’t look possible?

please do not forget to rate.
Highlighted
VIP Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

No it is not possible as the users accessing the servers need a way to differenciate which server they are accessing.  There are two ways of doing this.

1. use different public IPs for the servers

2. use different ports 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Highlighted
VIP Engager

Re: ASA 1 Public IP to 2 internal Servers using same ports

Yes I had similar thoughts too. But thought no warm to test this :-)

 

wonder how it’s possible in check point? I guess this is not possible at all in networks.

please do not forget to rate.
Highlighted
VIP Advisor

Re: ASA 1 Public IP to 2 internal Servers using same ports

from a logical standpoint it is not possible in CheckPoint or any other firewall or router as the requirement still stands that there needs to be a unique IP or unique port.  Would need to see the CheckPoint configuration to understand the setup better.  Perhaps the CheckPoint is performing loadbalancing between the servers.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

Re: ASA 1 Public IP to 2 internal Servers using same ports

Thanks for verifying. I am aware of how to do this with 1 IP and different ports or diffrent IP's and the same port. wasn't sure if it was a weird Checkpoint loadbalancing thing.
the checkpoint must be configured incorrectly.

thanks