Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

is this possible with NAT on ASAs?

jshapura
Level 1
Level 1

‎02-15-2012 12:31 PM - edited ‎03-11-2019 03:30 PM

Is it possible to set up NAT translations to do the following on our
ASAs?

1) Have an external address (5.1.1.1) associated with an internal address (192.168.1.10)
so that any externally initiated internet traffic directed to 5.1.1.1 gets redirected
internally by the ASA to 192.168.1.10, and...

2) At the same time, associate the same external address (5.1.1.1) with a different
internal address (192.168.1.100) so that any traffic initiated internally from
192.168.1.100 outbound to the internet gets NATTed with source address 5.1.1.1 by the ASA.

Basically we want the two to coexist, so that outside users initiating traffic to 5.1.1.1
always get directed to 192.168.1.10, while at the same time having any outbound traffic to
the outside world initiated from server 192.168.1.100 to get NATted to the same outside
address 5.1.1.1.

I am wondering if using policy NAT would allow the two to coexist but cannot find any
examples showing this....

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-15-2012 01:01 PM

Hello Jshapura,

No, you cannot mapped 1 public ip address to 2 different host.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mvsheik123
Level 7
Level 7
In response to Julio Carvajal

‎02-15-2012 05:11 PM

Hi,

With policy NAT, I guess you can PAT 5.1.1.1 to 2 internal IPs while allowing outside users to allow hitting one of the server. Try the below...

access-list test extended permit ip host 192.168.1.10 any

access-list test extended permit ip host 192.168.1.100 any

nat (inside) 1 access-list test

global (outside) 1 5.1.1.1

nat (inside) 2 0 0  

global (outside) 2 interface

Nat 2 is for rest of your internal hosts. If you already have Nat id 1 with internal hosts, add this as Nat 2 and it should work.

Your access list from outside to inside stays the same.

You may need to remove existing static (inside,outside) for 192.168.1.10 and clear the existing xlate.

Hope I understood your requirement correct.

Thx

MS

0 Helpful

game123
Level 1
Level 1

‎02-16-2012 12:31 AM

Interesting question but a number of suggestions for you.

Read ant dns doctoring

Do NLB internally for the two machines , possible thru Cisco ace or ollder Cisco CSS box!

And always remember when a user have session using link A to machine A it must get back to the originator using same link and cannot use link B or machine b to send request backward !,,,

Kamran

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card