03-02-2009 08:20 AM - edited 03-11-2019 07:59 AM
Hi,
I am using ASA 5580 with software Version 8.1(2). Could it be possible to access the NATTED IP address and also the physical IP address at the same time from the host.
03-02-2009 08:20 AM
Hi,
My requirement is different then what you have mentioned. In the configuration what you have mentioned if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible?
If possible then send some write up and also any cisco site reference.
Regards,
03-06-2009 05:26 AM
if i have a host connected to ip add 100.100.100.2 and want to access 100.10.100.1, 20.20.20.1 and other 20.20.20.0/24 hosts. Can it be possible
Santosh,
Im not quite sure I understand your requirements which it seemed to me from your initial post a hairpining requirement. I would like to know what application prompts you to have this type of settings, perhaps if you could provide in detail what this requiremen entails in terms of TCP/UDP services I could provide better answer.
Regards
03-04-2009 10:15 AM
Sure you can, depending what is your scenarion , but generally you can use same-security-traffic permit intra-interface command in conjuction with specific nat statement , and connect to the NAted address from where you are sourcing the local host . This is also known as hairpining .
Regards
03-05-2009 06:16 AM
Hi,
I have all the intra interfaces with differenet level of secuity, then also can it be possible.
If possible Please let me know some write up or any cisco write up details for reference.
Regards,
03-05-2009 08:54 AM
Typical scenario
say :
inside host 20.20.20.1/24 - Its public IP 100.100.100.1 for outside
Typically you would have one-to-one NAT
static (inside/outside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255
now you want local hosts in the 20.20.20.0/24 subnet access 100.100.100.1 which is maped to 20.20.20.1
same-security-traffic permit intra-interface
static (inside,inside) 100.100.100.1 20.20.20.1 netmask 255.255.255.255
and allow inbound rules for 100.100.100.1
so inside hosts under 20.20.20.0/24 can access 20.20.20.1 localy as well as 100.100.100.1 from inside interface
Here is some reference on hairpining
Regards
PLS rate any helpful posts if it helps
03-06-2009 04:58 AM
Santosh
Just to clarify what you are asking.
Server = real IP address = 192.168.5.1
Natted IP address = 172.16.5.1
Are you asking if from a client host you can connect to both 172.16.5.1 and 192.168.5.1 on the same port ?
If so no you can't. It's one or the other.
Jon
03-06-2009 05:27 AM
Hi,
Find the details of requirement.
Inside IP : 172.16.0.0/24
Host: 172.16.1.10
Nannted IP: 192.168.1.10
Outside IP: 192.168.1.0/24
Host: 192.168.1.20
now my requirement is from host 192.168.1.20 can I access 192.168.1.10 and also 172.16.1.10.
Hi Jon: Its the customers requirement for SAP application and also for your reference this is working in checkpoint now. We are replacing ASA-5580 in the place of checkpoint.
Could it possible?
Regards,
03-06-2009 05:40 AM
Santosh
If you are trying to access the 172.16.1.10 and 192.168.1.10 from outside using the same application port number you cannot do this on the ASA. I understand you can do this with Checkpoint but NAT functionality differs between firewalls.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide