05-20-2009 04:27 PM - edited 03-11-2019 08:34 AM
Hello All,
I have a public IP and port (1.1.1.1:80) that is translated to a private IP:
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
The ACL applied inbound on the outside interface permits any hosts to 1.1.1.1:80.
My question is can I policy translate the destination IP:port from outside clients that match specified subnets? (ie: hosts coming from 2.2.2.0/8 to 1.1.1.1:80 are translated to 1.1.1.2:81) ?
(and any necessary static and ACL additions would be performed).
Thanks,
Christopher
Solved! Go to Solution.
05-21-2009 11:23 AM
After reading, trying and remembering, the answer is:
NO, you can't map a ip:port to two different ip:port destinations
If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.
05-21-2009 12:59 AM
I dont understand why you would want to do this if both public IPs are in the same range?
if they are then just have a static nat to 1.1.1.2:81 and limit access to it with an acl?
05-22-2009 03:12 PM
Basically, the public IP is advertised in DNS, and could be hard-coded in an application. However, depending on the client source IP, they may need to be serviced by a different backend server.
05-21-2009 10:01 AM
I don't understand.
Do you need that clients from 2.2.2.0 be mapped to 192.168.1.1 and clients from 3.3.3.0 mapped to 192.168.1.22 for example?
05-21-2009 10:10 AM
Yes, that's basically it. Both sets of clients would attempt to connect to 1.1.1.1:80 (for example), but their true destination IP:port would be decided based on their source IP. Does that help clarify?
05-21-2009 10:12 AM
I am preparing the lab, if the phone doesn't ring, I will tell you my results in a few hours.
05-21-2009 11:23 AM
After reading, trying and remembering, the answer is:
NO, you can't map a ip:port to two different ip:port destinations
If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.
05-21-2009 03:13 PM
Thanks. I did some basic reading/trying and couldn't see it happening, but it was an odd case and you never know...
05-21-2009 03:18 PM
This kind of policy nat and balanced internet connection are two of the most important ASA missing features.
Thanks 4 rating
05-22-2009 12:19 AM
the solution to your problem is to use checkpoint :-)
05-22-2009 08:06 AM
Oh OK :)
We could perform this stuff post-ASA (ie: on an F5 BIG-IP), but that equipment isn't in place at the moment. I was hoping that the ASA a couple more features than the thousands it already possessed!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide