cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
695
Views
0
Helpful
2
Replies

Nat configuration - two internal ip`s to one public ip with different ports

Hello,

we have in our demo lab one Exchange server and one Web server. From our provider we got a block of public ip addresses.

I want to use one public ip for nat  for both server.

Exchange Server has 172.18.220.10

Web Server has 172.18.220.11

Both nat to public ip x.x.x.83 (inside to outside) These IP is not outside IP of ASA.

From outside HTTP/HTTPS for Web server and SMTP for Exchange are open.

I got on my ASA following message if nat rule active. "Deny IP due to Land Attack from x.x.x.83 to x.x.x.83"

My Nat configuration see below.

object network GSCMUC-Exch-WebSrv
 range 172.18.220.10 172.18.220.11

object-group service DM_INLINE_TCP_16 tcp
 port-object eq 587
 port-object eq www
 port-object eq https
 port-object eq smtp

access-list outside_access_in extended permit tcp any object GSCMUC-Exch-WebSrv object-group DM_INLINE_TCP_16

object network GSCMUC-Exch-WebSrv
 nat (DMZ-VLAN1820,outside) static x.x.x.83 net-to-net

I dont know, if configuration is correct. Any idea?

Regards

Matthias

1 Accepted Solution

Accepted Solutions

Shivapramod M
Level 1
Level 1

Hi Matthias,

as per my understanding you have one outside and multiple inside IP and you would like to translate using the ports. Please correct me if my understanding about the issue is wrong.

You can configure the NAT like below.

object network GSCMUC-Exch-WebSrv
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 80 www

object network GSCMUC-Exch-WebSrv-https
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 443 443

object network GSCMUC-Exch-smtp
host 172.18.220.11
nat (lan,outside) static x.x.x.83 service tcp 25 25

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Shivapramod M
Level 1
Level 1

Hi Matthias,

as per my understanding you have one outside and multiple inside IP and you would like to translate using the ports. Please correct me if my understanding about the issue is wrong.

You can configure the NAT like below.

object network GSCMUC-Exch-WebSrv
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 80 www

object network GSCMUC-Exch-WebSrv-https
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 443 443

object network GSCMUC-Exch-smtp
host 172.18.220.11
nat (lan,outside) static x.x.x.83 service tcp 25 25

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Shivapramod,

thanks for your answer so quickly. I changed the configuration and it looks good.

I think that is, because i get no messages about "Deny IP due to Land Attack from x.x.x.83 to x.x.x.83" 

Thanks for your help. :)

Review Cisco Networking for a $25 gift card