10-06-2010 06:23 PM - edited 03-11-2019 11:51 AM
Hi People,
I have a trouble with static nat statements in ASA 5510. Follow the cenario:
Public IP 1 => 1.1.1.1
Public IP 2 => 1.1.1.2
Internal cluster IP => 2.2.2.2
I have to do that when the public connections arrive to outside interface, ASA use static NAT to redirect to inside cluster host, which redistribute to servers pool correctly,according:
- connections to 1.1.1.1 tcp port 80, static nat redirect to 2.2.2.2 port 80
- connections to 1.1.1.2 tcp port 80, static nat redirect to 2.2.2.2 port 80
Actually i use proxy arp on outside interface to notify public IP 1 and 2.
The trouble is when i configure the second nat statements, the ASA doesn't allow, because duplicate match ip address/port.
My question, is possible create this cenario ?
Thanks
Robertson
Solved! Go to Solution.
10-06-2010 08:04 PM
Hello,
Please try the following:
access-list pnat1 permit tcp host 2.2.2.2 eq 80 any
static (inside,outside) tcp 1.1.1.1 80 access-list pnat1
access-list pnat2 permit tcp host 2.2.2.2 eq 80 any
static (inside,outside) tcp 1.1.1.2 80 access-list pnat2
Hope this helps.
Regards,
NT
10-06-2010 08:04 PM
Hello,
Please try the following:
access-list pnat1 permit tcp host 2.2.2.2 eq 80 any
static (inside,outside) tcp 1.1.1.1 80 access-list pnat1
access-list pnat2 permit tcp host 2.2.2.2 eq 80 any
static (inside,outside) tcp 1.1.1.2 80 access-list pnat2
Hope this helps.
Regards,
NT
10-07-2010 04:31 AM
Ok, the firewall accepted commands, but i believe that acl order is reverse.
1)
access-list pnat1 extended permit tcp host 2.2.2.2 eq www any
This, the connection from 2.2.2.2 tcp port 80 is allowed to any.
2)
access-list pnat1 extended permit tcp any host 2.2.2.2 eq 80
This, the connection nated from internet, is allowed to 2.2.2.2 port 80.
What´s correct to create nat ?. 1 or 2 ?
Thanks again.
Robertson
** I don´t make any real test yet, only configuration.
10-07-2010 01:07 PM
You can't do what you are trying to achieve.
2 source ip addresses cannot be translated to one ip/port (2.2.2.2/80)..The firewwall would not be able to know where to send a packet that is destined to 2.2.2.2/80.
I hope it makes sense.
PK
10-07-2010 06:00 PM
Thanks PK, i'll try first option. I believe that it will work. Any notice i post here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide