cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

827
Views
0
Helpful
3
Replies
yuening liao
Beginner

NAT on multihoming edge ASA

hello

as following topology showing, we have multiple public addresses from different ISP. now we need map those public ( inside global ) addresses to single private ( inside local ) address, which assigned to a server, so that user from internet can reach this server.

the public address is 7.7.7.7, 8.8.8.8, 9.9.9.9.

xxxxxx.png

the nat config is:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

after user ping those pubic addresses, the show nat outside displayed that the nat seems work well

ciscoasa(config)# sh nat outside

  match ip outside host 20.0.0.200 inside any

    static translation to 10.0.0.2

    translate_hits = 20, untranslate_hits = 0

but ping still failed

p.s., i have configured icmp inspection and static route for traffic destined to those public addresses also added.

S    7.7.7.7 255.255.255.255 [1/0] via 10.0.0.100, inside

S    8.8.8.8 255.255.255.255 [1/0] via 10.0.0.100, inside

S    9.9.9.9 255.255.255.255 [1/0] via 10.0.0.100, inside

thanks for your reply!

3 REPLIES 3
varrao
Advocate

Hi,

If I understand it correctly, you have 3 ISP connections on the terminated on to the outside interface of the ASA (R2,R3,R4)???

You want to map the internal host 20.0.0.200 to three different public ip's ( 7.7.7.7, 8.8.8.8, 9.9.9.9)???

Well on the ASA you cannot do policy based routing and can only have one default route on the ASA, so this might be tough, moreover can you explain me, y do you have this nat:

static (outside,inside) interface 20.0.0.200 netmask 255.255.255.255

Please be aware that the return packets would always be directed towards the default gateway.

It would be helpful if you can provide  your config from ASA.

Thanks,

Varun

Thanks,
Varun Rao

Hi Varun,

thanks for your reply, the 7.7.7.7, 8.8.8.8, 9.9.9.9 is our public ip, but 20.0.0.200 is the connected address of  R2, which represents a user from internet.

pls find the config of ASA

Hi,

Your requirement is still confusing. You mention you want outside users to be able to access an inside server using 3 different IP addresses (7.7.7.7, 8.8.8.8 and 9.9.9.9).

If that's your requirement, on ASA 8.2 unfortunately that's not really possible though there is a way to "fool" the firewall to get it working:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

frankly, i have seen this to not work in quite a few occasions. Are you going to perform NAT on the ASA or on an inside router? If it's on the ASA, you do not need the following routes:

route inside 7.7.7.7 255.255.255.255 10.0.0.100 1

route inside 8.8.8.8 255.255.255.255 10.0.0.100 1

route inside 9.9.9.9 255.255.255.255 10.0.0.100 1

Regards,

Prapanch

Create
Recognize Your Peers
Content for Community-Ad