Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
3
Replies

NAT on multihoming edge ASA

yuening liao
Level 1
Level 1

‎08-17-2011 12:16 AM - edited ‎03-11-2019 02:12 PM

hello

as following topology showing, we have multiple public addresses from different ISP. now we need map those public ( inside global ) addresses to single private ( inside local ) address, which assigned to a server, so that user from internet can reach this server.

the public address is 7.7.7.7, 8.8.8.8, 9.9.9.9.

xxxxxx.png

the nat config is:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

after user ping those pubic addresses, the show nat outside displayed that the nat seems work well

ciscoasa(config)# sh nat outside

  match ip outside host 20.0.0.200 inside any

    static translation to 10.0.0.2

    translate_hits = 20, untranslate_hits = 0

but ping still failed

p.s., i have configured icmp inspection and static route for traffic destined to those public addresses also added.

S    7.7.7.7 255.255.255.255 [1/0] via 10.0.0.100, inside

S    8.8.8.8 255.255.255.255 [1/0] via 10.0.0.100, inside

S    9.9.9.9 255.255.255.255 [1/0] via 10.0.0.100, inside

thanks for your reply!

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎08-17-2011 01:18 AM

Hi,

If I understand it correctly, you have 3 ISP connections on the terminated on to the outside interface of the ASA (R2,R3,R4)???

You want to map the internal host 20.0.0.200 to three different public ip's ( 7.7.7.7, 8.8.8.8, 9.9.9.9)???

Well on the ASA you cannot do policy based routing and can only have one default route on the ASA, so this might be tough, moreover can you explain me, y do you have this nat:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

Please be aware that the return packets would always be directed towards the default gateway.

It would be helpful if you can provide  your config from ASA.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

yuening liao
Level 1
Level 1
In response to varrao

‎08-17-2011 02:24 AM

Hi Varun,

thanks for your reply, the 7.7.7.7, 8.8.8.8, 9.9.9.9 is our public ip, but 20.0.0.200 is the connected address of  R2, which represents a user from internet.

pls find the config of ASA

112013-show results.txt.zip
0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to yuening liao

‎08-31-2011 12:41 PM

Hi,

Your requirement is still confusing. You mention you want outside users to be able to access an inside server using 3 different IP addresses (7.7.7.7, 8.8.8.8 and 9.9.9.9).

If that's your requirement, on ASA 8.2 unfortunately that's not really possible though there is a way to "fool" the firewall to get it working:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

frankly, i have seen this to not work in quite a few occasions. Are you going to perform NAT on the ASA or on an inside router? If it's on the ASA, you do not need the following routes:

route inside 7.7.7.7 255.255.255.255 10.0.0.100 1

route inside 8.8.8.8 255.255.255.255 10.0.0.100 1

route inside 9.9.9.9 255.255.255.255 10.0.0.100 1

Regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card