Showing results for 
Search instead for 
Did you mean: 

ASA virtual IP concept

Level 1
Level 1

Coming from a netscreen/junos background...


For allowing access to the inside from a DMZ IP I'd usually configure a VIP using an IP in the DMZ network that would map/nat to an IP on the inside interface and apply the appropriate acl/policies to that mapping. This would keep, somewhat, our internal IP schema from DMZ assets...less info is better, right?


I can't for the life of me figure out how to do this on the ASA. All the examples I find just do a typical NAT to where the DMZ server communicates directly with your internal IP. 


It looks like to create any virtual IP you have to create a subinterface and then configure the NAT and ACLs to that. Is that how to do this on an ASA? It just didn't seem right to me.


ASA 5516X running 9.10



3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Try something like this 1-1 static NAT rule:


nat (inside,dmz) source static <original inside source IP> <original source ip> destination static <NAT address using an unused DMZ address> <NAT address using an unused DMZ address>

...and then allow access to the original source IP in an access-list that's applied inbound on the DMZ interface.

What if the Inside IP is not on an Interface directly?  I need to do something similar where I need to have a Public IP mapped to an IP Internally that is a Hop away from the ASA so the ASA does not have an interface in the Subnet. It can get to the Subnet and the AnyConnect Clients can. Just not sure how to NAT to an IP that is not Local to the ASA. 


As long as the ASA has a route to the internal subnet (and vice versa), there's no issue NATting that way. In fact, that's more often than not the case with any ASA deployment that services more than a single internal subnet.

Review Cisco Networking for a $25 gift card