04-17-2013 06:32 AM - edited 03-11-2019 06:30 PM
Hi,
Need some clarification with NAT on ASA
Can we NAT a public IP to two internals IP's on same port
Example below
static (dmz1,outside) 4.4.4.4 192.168.1.2 netmask 255.255.255.255
static (dmz1,outside) 4.4.4.4 192.168.1.3 netmask 255.255.255.255
access-list outtoin extended permit tcp any host 4.4.4.4 eq www
access-list outtoin extended permit tcp any host 4.4.4.4 eq https
Thanks
stan
04-17-2013 07:05 AM
Hi,
Seems you are using software 8.2 or something below.
Dont think you are able to configure the above Static NAT and make it work.
Notice that if you wanted to only forward a certain port with Static PAT then the configuration would look like this
static (dmz1,outside) tcp 4.4.4.4 80 192.168.1.2 80 netmask 255.255.255.255
static (dmz1,outside) tcp 4.4.4.4 443 192.168.1.2 443 netmask 255.255.255.255
Though even in the case of the above Port Forward / Static PAT configuration I dont think the ASA will accept the configuration.
EDIT: Meaning that you cant do the above configuration for both of the Internal DMZ hosts.
On newer softwares you can forward the same ports to different hosts BUT I still think it will not work in a situation where you would want anyone to be able to connect to both of the hosts. You would have to modify the NAT rules to apply only to certain source IP addresses on the Internet.
- Jouni
04-17-2013 01:11 PM
Hi,
I am using 8.1 on asa
The requirement is use port 80 and 443 on 02 websites using same external ip
Looks liek it can be done (on this version atleast)
Thanks
04-17-2013 07:08 AM
You don't specify your ASA software version, but since you are using the old NAT syntax we'll presume it's 8.2 or lower.
> Can we NAT a public IP to two internals IP's on same port?
Yes, you can do "static PAT" to different IP's, but you must specify the protocol and ports:
static (dmz1,outside) tcp 4.4.4.4 http 192.168.1.2 http netmask 255.255.255.255
static (dmz1,outside) tcp 4.4.4.4 https 192.168.1.3 https netmask 255.255.255.255
You can also map to different destination ports if that is necessary.
-- Jim Leinweber, WI State Lab of Hygiene
04-17-2013 01:09 PM
Hi,
I am using 8.1 on asa
Thanks
04-17-2013 01:27 PM
Just to clarify, the (source IP, source port) and (destination IP, destination port) pairs do have to be unique. You can map a single source port to a different destination IP and optionally different destination port. You can map different source ports to different IP's and/or destination ports. But you can't map the single source port on a single source IP to two different destination IP's simultaneously. No double dipping with (4.4.4.4, 80) trying to go to both (192.168.1.2,80) and (192.168.1.3, 80) simultaneously; the firewall wouldn't know how to choose between them. However,
(4.4.4.4, 80) --> (192.168.1.2,80) -- change the IP, keep the port
and
(4.4.4.4, 81) --> (192.168.1.3,80) -- change the IP and change the port
would be OK.
Similarly, you can't both NAT and not NAT, e.g. if you have a NAT rule for
static (dmz1,outside) tcp 4.4.4.4 http 192.168.1.2 http netmask 255.255.255.255
then other hosts won't be able to connect to destination (192.168.1.2, 80) through other firewll interfaces. I get around that by defining secondary IP addresses on hosts where I need both local and remote access from different interfaces, one with NAT, and one without. That's usually less work than using separate ports for remote and local access.
-- Jim Leinweber, WI State Lab of Hygiene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide