cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
8
Helpful
8
Replies

Conditional Nat on an ASA

bart.mollemans
Level 1
Level 1

A practical dillemma led me here:

A customer has several remote sites wich each have a pc that connects to a virtual IP in the HQ lan, which in term is natted to a real HQ server IP on the asa. Now the need has risen to nat a specific group of remote sites to a diferent real HQ server IP...

My current work-arround is a hardware loadbalancer, but imho there should be a nice/clean cisco (nat) alternative...no?

For a viasual clarification, please see my attached visio.

Many thanks for any hints or suggestions you might have,

Bart

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

Bart-

Can the remote offices that need to point to the new server, point to a new NAT address or do they have to point to 4.4.4.3?

This was my first question too, but the devices at the remote sites are in fact a type of apliances that require (costly) 3rd party intervention if we need to change a system setting plus there are over 600 remote sites... so no ...

create object groups to more easily manage which remote sites need the server nat'ed to which IP - then you can use the same object groups to configure your standard interface acl's.

In this example, 192.168.1.1 is the internal IP of the server. the 31.x.x.x addresses are the nat'ed IP's.

access-list nat1_acl permit ip host 192.168.1.1 object-group remote_sites_A

access-list nat2_acl permit ip host 192.168.1.1 object-group remote_sites_B

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.2 access-list nat2_acl

Thanx for the reply but this does not tackle the issue at hand.

I have 2 internal servers (a,b) who need to be reached on a virtual ip c.

If Ip address group X connecting to address c, the natting should lead them to internal server a. Addtionally when addres group y connects to address c the asa natting should lead them to internal server b...

my bad.

how about:

access-list nat1_acl permit ip host 192.168.1.a object-group X

access-list nat2_acl permit ip host 192.168.1.b object-group Y

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.1 access-list nat2_acl

perhaps idd... I was just staring myself blind at the asdm gui. In commandline this makes perfect sense. So in effect we have 2 static policy Nat's with for the Original source 192.168.1.a(192.168.1.b for 2nd packet), original destination object group siteA(siteB for 2nd packet). And on the outside interface a translated address of 31.1.1.1. thx I'll try and let you know Srue.

Is there a gateway device at each remote office that could NAT?

Sir,

Indeed, that was my 3rd prefered solution.

My seccond prefered is the one I have setup now; I had a spare F5 LB lying around and put it to use :)

The most prefered one is of course to have it all cleanly configured in one device; The asa. Cisco has got to have a way to do this...

Checkpoint an juniper all can do this type of packet-crafting, perhaps I'm just overlooking something obvious.

Review Cisco Networking for a $25 gift card