Is this the correct way to NAT to two different interfaces in ASA 8.4(2)?

colin.nguyen · ‎09-21-2011

We just upgraded our ASA 5520 from 8.2 to 8.4(2) and I am just now getting familliar with the new config. We have an inside, outside, and DMZ interface. There is a web server in the DMZ with IP 10.6.129.5. I would like to NAT this address to a public internet IP that we own, so that users coming in from the outside can hit it. Let's say that the public IP on the outside is 172.16.129.5. I would also like my Inside users on the private LAN who are trying to hit 172.16.129.5 accomplish the same thing as users coming from the Outside. So is this a supported config?

object network obj-10.6.129.5

host 10.6.129.5

object network obj-10.6.129.5-01

host 10.6.129.5

object network obj-10.6.129.5

nat (dmz,outside) static 172.16.129.5

object network obj-10.6.129.5-01

nat (dmz,inside) static 172.16.129.5

access-list acl-outside extended permit tcp any host 10.6.129.5 eq 80

access-list acl-inside extended permit tcp any host 10.6.129.5 eq 80

When I enter the config into the ASA, it took the commands and everything works as desired. But I remember from the PIX world that NATing the same address to two different interfaces on the firewall causes intermittent problems. I would just like to know if what I am doing here on the ASA 8.4(2) is a supported config. Thanks.

Julio Carvajal · ‎09-21-2011

Hello Colin,

Yes, this is supported, the configuration its fine, you are not going to have problems with that.

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC