Showing results for 
Search instead for 
Did you mean: 

NAT Suggestion Request - Hiding Srv-IP to another Subnet -IP before doing NAT to Public IP (Double-Triple NAT :P)


Hello all,


I would need some suggestions regarding a configuration I would like to implement.

Basically I want to create a New DMZ for a new Infrastructure we are setting up,new DMZ leg in the ASA.

Let`s say this DMZ Subnet is configured on the Core Router via VRF and with its own BGP address-family. Subnet for example

Aight so far so good.


What i want to achieve is that for security matters I would like to put some very specific servers and services into this new Secure DMZ which will have limited access to the rest of the Hybrid Infrastructure, yet this cannot be done by changing IP Addresses as all of the servers are in live production and there is no downtime tolerated.

Let`s say one server is HTTP in Subnet and it`s IP Address is


So, how do i actually NAT this servers Port 80 for ex to the DMZ IP Address of port 80 to port 8099, and then NAT this "NAT-ed" address to the Public IP Address of and also accept the return traffic to take the same path back.


Have been trying couple combinations, yet I haven`t figured it out.

Looking forward to suggestions.


Thank You,

Rigels Sino



Alright I figured it out if someone runs across the same kind of request. You can achieve what i earlier requested by using a third party (vendor) Proxy Server or in case you actualy make a windows proxy server to assist you with that. Then you process with the NAT Policies and ACL-s by NAT-ing the Proxy Server IP and Port instead of the Original Source.

On the Proxy Server this can be achieved by using Reverse Proxy, in my case I used Symantec ProxySG (ex BlueCoat) which was the actual Proxy implemented.



Will keep this post updated in case I have got new info about it.


Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

For this you would need to add another NAT capable device between the ASA and internet.  So you would first NAT to an IP to an unused IP of your choosing (lets say towards the second NAT device and then on the second NAT device NAT to

Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: