09-06-2012 10:43 PM - edited 03-11-2019 04:51 PM
Hi,
We have the following flow:
LAN Server ( 192.168.100.5 & 100.11 ) -----> Switch -------> ASA ---------> Internet ------------> Destination Host
The ASA's outside interface has Internet IP 202.87.65.22
When both Lan servers initiate a connection to the remote destination host, they are only recognised at the destination with individual Internet IP's as given.
i.e, 192.168.100.5 is only recognised as 202.87.65.35 &
192.168.100.11 is only recognised as 202.87.65.36
The destination doesn't recognise the request if the source is not from above Internet IP's.
How do i ensure and configure the ASA such that; traffic from both these lan servers go out with their Internet IP's only, rather than taking the ASA's
outside interface IP.
Please help.
Solved! Go to Solution.
09-06-2012 11:27 PM
Hello,
So lets go with the Policy nat as per your request is based on destination
access-list test permit ip host 192.168.100.5 host destination_host_ip
nat (inside) 10 access-list test
global (outside) 10 202.87.65.35
access-list test2 permit ip host 192.168.100.11 host destination_host_ip
nat (inside) 11 access-list test2
global (outside) 11 202.87.65.36
Remember to rate all the answers,
Julio
09-06-2012 10:53 PM
Hello,
With Policy nat (8.2) or Twice Nat with destination on (8.3 or higher)
What version are you running?
Rate all the answers, that is more important for us than a thanks?
Regards,
Julio
09-06-2012 10:59 PM
It is running 8.2(2) .
Appreciate if i can get the steps to achieve it. thanks.
09-06-2012 11:27 PM
Hello,
So lets go with the Policy nat as per your request is based on destination
access-list test permit ip host 192.168.100.5 host destination_host_ip
nat (inside) 10 access-list test
global (outside) 10 202.87.65.35
access-list test2 permit ip host 192.168.100.11 host destination_host_ip
nat (inside) 11 access-list test2
global (outside) 11 202.87.65.36
Remember to rate all the answers,
Julio
09-06-2012 11:02 PM
Hi,
If you are using pre 8.3 code, then you would need the following configuration:
static (inside,outside) 202.87.65.35 192.168.100.5
static (inside,outside) 202.87.65.36 192.168.100.11
access-list outside_access_in permit ip any host 202.87.65.35
access-list outside_access_in permit ip any host 202.87.65.36
access-group outside_access_in in interface outside
You would only need the access-list if you also want the outside destination host to access your internal server.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide