Solved: Re: server ip translation with asa

suthomas1 · ‎11-17-2010

One of the server host uses the same internet ip to get on to internet and also receive the request from internet to itself. this was done for address space restraint. But a recent security audit has forced to seperate the communication for this server using a single internet registered ip both ways.

i.e server host 10.19.2.2 will use internet IP X.X.X.X for internet bound data from itself & the same X.X.X.X internet IP will be used to reach this host when any other host on internet needs to start a new connection to 10.19.2.2.

Insights into how best,this can be achieved, will be helpful.

TIA.

Federico Coto Fajardo · ‎11-17-2010

In that case you can modify the configuration to this:

static (in,out) 2.2.2.2 1.1.1.1

The above command will always translate 1.1.1.1 to 2.2.2.2 for inbound or outbound trafffic.

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-17-2010

Hi,

If you want to do this on ASA you can do the following:

static (in,out) tcp 2.2.2.2 80 1.1.1.1 80

nat (inside) 1 1.1.1.1 255.255.255.255

global (outside) 1 2.2.2.3

The above example assumes the following:

Inbound connections to the server (1.1.1.1) will use the NAT IP (2.2.2.2) when the requests comes on port 80.

Outbound traffic from the server will use (2.2.2.3) to get to the Internet.

Hope it helps.

Federico.

suthomas1 · ‎11-17-2010

Thanks. Apologize if my question was not clear.

Taking the eg. that you have stated, our policy needs me to use the same public IP for this server host 1.1.1.1 when going out to internet & use the same public IP for inbound connections to this server initiated by any source from the internet.

TIA.

Federico Coto Fajardo · ‎11-17-2010

In that case you can modify the configuration to this:

static (in,out) 2.2.2.2 1.1.1.1

The above command will always translate 1.1.1.1 to 2.2.2.2 for inbound or outbound trafffic.

Federico.

suthomas1 · ‎11-17-2010

so the static line will accomplish the task for both inbound & outbound using same ip.

and i would say there needs to be an acl on the outside interface for the incoming new request. would this static and rule hold true for both tcp & udp connections.

Appreciate your help. Thanks.

Federico Coto Fajardo · ‎11-17-2010

Correct.

The static will hold true for TCP and UDP connections.

Also, to allow incoming traffic you require the ACL as you mentioned.

Federico.

suthomas1 · ‎11-17-2010

Thanks, last query , to check these connections when in use , would sh conn and sh xlate be appropriate commands . Or any other command for this.

Federico Coto Fajardo · ‎11-17-2010

Correct.

To check the translations (layer 3) you use sh xlate

To check the connections (layer 4) you use sh conn (sh conn state/sh conn det)

Since you have a static one-to-one NAT, there's going to be a single XLATE with multiple connections for that particular host.

Federico.