cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
5
Replies

Need some clarification with NAT on ASA

Stan Spice
Level 1
Level 1

Hi,

Need some clarification with NAT on ASA

Can we NAT a public IP to two internals IP's on same port

Example below
static (dmz1,outside) 4.4.4.4 192.168.1.2 netmask 255.255.255.255
static (dmz1,outside) 4.4.4.4 192.168.1.3 netmask 255.255.255.255
access-list outtoin extended permit tcp any host 4.4.4.4 eq www
access-list outtoin extended permit tcp any host 4.4.4.4 eq https

Thanks

stan

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Seems you are using software 8.2 or something below.

Dont think you are able to configure the above Static NAT and make it work.

Notice that if you wanted to only forward a certain port with Static PAT then the configuration would look like this

static (dmz1,outside) tcp 4.4.4.4 80 192.168.1.2 80 netmask 255.255.255.255

static (dmz1,outside) tcp 4.4.4.4 443 192.168.1.2 443 netmask 255.255.255.255

Though even in the case of the above Port Forward / Static PAT configuration I dont think the ASA will accept the configuration.

EDIT: Meaning that you cant do the above configuration for both of the Internal DMZ hosts.

On newer softwares you can forward the same ports to different hosts BUT I still think it will not work in a situation where you would want anyone to be able to connect to both of the hosts. You would have to modify the NAT rules to apply only to certain source IP addresses on the Internet.

- Jouni

Hi,

I am using 8.1 on asa

The requirement is use port 80 and 443 on 02 websites using same external ip

Looks liek it can be done (on this version atleast)

Thanks

James Leinweber
Level 4
Level 4

You don't specify your ASA software version, but since you are using the old NAT syntax we'll presume it's 8.2 or lower.

> Can we NAT a public IP to two internals IP's on same port?

Yes, you can do "static PAT" to different IP's, but you must specify the protocol and ports:

static (dmz1,outside) tcp 4.4.4.4  http    192.168.1.2  http  netmask 255.255.255.255

static (dmz1,outside) tcp 4.4.4.4  https  192.168.1.3  https netmask 255.255.255.255

You can also map to different destination ports if that is necessary.

-- Jim Leinweber, WI State Lab of Hygiene

Hi,

I am using 8.1 on asa

Thanks

Just to clarify, the  (source IP, source port) and (destination IP, destination port) pairs do have to be unique.  You can map a single source port to a different destination IP and optionally different destination port.  You can map different source ports to different IP's and/or destination ports.  But you can't map the single source port on a single source IP to two different destination IP's simultaneously.  No double dipping with (4.4.4.4, 80) trying to go to both (192.168.1.2,80) and (192.168.1.3, 80) simultaneously; the firewall wouldn't know how to choose between them.  However,

   (4.4.4.4, 80) --> (192.168.1.2,80)    -- change the IP, keep the port

and

  (4.4.4.4, 81) --> (192.168.1.3,80)     -- change the IP and change the port

would be OK.

Similarly, you can't both NAT and not NAT, e.g. if you have a NAT rule for

  static (dmz1,outside) tcp 4.4.4.4  http   192.168.1.2  http netmask 255.255.255.255

then other hosts won't be able to connect to destination (192.168.1.2, 80) through other firewll interfaces.  I get around that by defining secondary IP addresses on hosts where I need both local and remote access from different interfaces, one with NAT, and one without.  That's usually less work than using separate ports for remote and local access.

-- Jim Leinweber, WI State Lab of Hygiene

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: