Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
5
Replies

Hiding two networks with NAT

Go to solution
Greg Dickinson
Level 1
Level 1

‎08-02-2016 10:04 AM - edited ‎03-12-2019 01:04 AM

Hi everyone,

I have a problem I've never run up against before, and don't even know what to call it so I'm going to say I'm hiding two hosts from each other using NAT :)  Here's the situation:

I have two mail servers on two different networks in my data center, that need to exchange mail directly with each other, and not go over the internet (they are for two companies owned by the same owner, but there needs to be a level of separation between them).  I have an ASA 5505 sitting between these networks, configured as such:

Inside interface: 10.189.131.126

Outside interface: 10.250.1.251

The mail server IPs are:

Server A: 10.189.128.30 (behind the "Inside" interface)

Server B: 10.250.1.111

Basically, these two mail servers need to communicate with each other, but not with their real addresses.  So essentially, when Mail Server A connects to the IP 10.189.131.130 it needs to be translated to 10.250.1.30, and vice versa.  If we can limit it to port 25 I could even use the interface IPs if that makes it simpler.

Is this even possible?  How would one go about doing it? :)

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahmedshoaib
Level 4
Level 4

‎08-07-2016 01:20 PM

Hi;

Please find the Cisco ASA firewall natting on OS ver 8.2(1) as per your requirement:

Static Nat:

static (inside,outside) 10.250.1.30 10.189.131.130 netmask 255.255.255.255

 

To restrict the communication on port 25:

access-list OUT-IN extended permit tcp host 10.250.1.111 host 10.250.1.30 eq 25

access-group OUT-IN in interface outside

 

Thanks & Best regards;

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kornelia Gutierrez
Level 1
Level 1

‎08-02-2016 12:34 PM

Hi Greg,

I hope you are fine, yes that can be achieved, but I would like to know which software version are you running on the ASA?

0 Helpful

Go to solution
Greg Dickinson
Level 1
Level 1
In response to Kornelia Gutierrez

‎08-02-2016 02:15 PM

I am running version 8.2(1)

0 Helpful

Go to solution
Greg Dickinson
Level 1
Level 1
In response to Greg Dickinson

‎08-05-2016 10:22 AM

Any ideas how to pull this off? I'm beating my head against the wall over here :)

0 Helpful

Go to solution
kvaldelo
Level 1
Level 1

‎08-05-2016 12:57 PM

Hi Greg,

You can use a static policy NAT to do the requirement when an IP wants to communicate with a specific server translate the IP to a different IP

An example here:

When host 192.168.1.1 goes to 172.16.10.1 translate the IP to 10.200.192.56

access-list NAT permit tcp host 192.168.1.1 host 172.16.10.1 eq 443

static (inside,outside) 10.200.192.56 access-list NAT

0 Helpful

Go to solution
ahmedshoaib
Level 4
Level 4

‎08-07-2016 01:20 PM

Hi;

Please find the Cisco ASA firewall natting on OS ver 8.2(1) as per your requirement:

Static Nat:

static (inside,outside) 10.250.1.30 10.189.131.130 netmask 255.255.255.255

 

To restrict the communication on port 25:

access-list OUT-IN extended permit tcp host 10.250.1.111 host 10.250.1.30 eq 25

access-group OUT-IN in interface outside

 

Thanks & Best regards;

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card