Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
454
Views
0
Helpful
2
Replies

ASA Static PAT to multiple private IPs

Go to solution
Mokhalil82
Level 4
Level 4

ā€Ž06-03-2015 01:49 PM - edited ā€Ž03-11-2019 11:02 PM

Hi 

I am in the process of replacing some Watchguard firewalls with ASA firewalls. I have noticed a few static NAT rules on the Watchguard using the same public IP address but each NAT uses a different private IP Address.

e.g

98.98.98.1 > 192.168.10.1

98.98.98.1 > 192.168.10.5

98.98.98.1 > 192.168.10.20

98.98.98.1 > 192.168.10.44

 

How would I add this into an ASA. This is for external hosts trying to access internal servers on the one external IP but mapped to different internal IPs. 

Would a standard PAT work using the different internal IPs to PAT to the single external IP.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmattbullen
Level 1
Level 1

ā€Ž06-03-2015 06:09 PM

You could PAT say port 8080,8081,etc and translate that to 80 on the inside but you'd need to make sure you set it up the same way as watchguard.  I assume watchguard does NAT the same way as ASA and just reads down the list.  with the way you describe it, unless there was something to differentiate the NATs it would hit the first one only

I would first check to see if all the 192.168.10.x hosts are even live.  most likely some are not if you are replacing an old firewall.

secondly, would these IPs happen to be in a cluster?  If so, I have had to do a static nat to the VIP of the cluster so the outside world could talk to it but then also do dynamic nat for the individual cluster members.  This is because the cluster members would use their own IP to initiate outbound traffic.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jmattbullen
Level 1
Level 1

ā€Ž06-03-2015 06:09 PM

You could PAT say port 8080,8081,etc and translate that to 80 on the inside but you'd need to make sure you set it up the same way as watchguard.  I assume watchguard does NAT the same way as ASA and just reads down the list.  with the way you describe it, unless there was something to differentiate the NATs it would hit the first one only

I would first check to see if all the 192.168.10.x hosts are even live.  most likely some are not if you are replacing an old firewall.

secondly, would these IPs happen to be in a cluster?  If so, I have had to do a static nat to the VIP of the cluster so the outside world could talk to it but then also do dynamic nat for the individual cluster members.  This is because the cluster members would use their own IP to initiate outbound traffic.

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to jmattbullen

ā€Ž06-05-2015 12:26 AM

Thanks

I will go through and see what hosts are actually live, looks like many old rules so il tidy them up before moving further. I am order a new larger external ip address range so I may just NAT them out to individual IPs instead of doing the port address translations

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card