Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
6
Replies

Static NAT with one real IP and 2 public IPs on 2 ASAs

Go to solution
vishnureddy1979
Level 1
Level 1

‎01-29-2016 08:04 AM - edited ‎03-12-2019 12:12 AM

I have a server with 10.210.1.229 which is configured for static NAT on the old firewall. This firewall has several VPN connections that terminate on this firewall. As we are transitioning the VPNs to terminate on the new Firewall 5525x Can I create a static nat on for this server with another public IP as the routing has been taken care off. Could this be done without any conflicts? Has anyone has accomplished this so for? Thanks in advance.

 XX.XXX.XX.203 - I have to configure this in the new Firewall

 XX.XXX.XX.229 - This is already mapped to real server in old firewall 

Thanks,

Vishnu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to vishnureddy1979

‎02-01-2016 02:59 PM

If this is done as part of site to site VPN and if the static NAT is part of the site to site configuration then that would solve the issue that I raised about how the server would know to which ASA to send response traffic.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-29-2016 11:16 AM

Is this static NAT only used by VPN users, or the global Internet?

0 Helpful

Go to solution
vishnureddy1979
Level 1
Level 1
In response to Philip D'Ath

‎01-29-2016 12:00 PM

This static NAT is only used by VPN users.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to vishnureddy1979

‎01-29-2016 03:11 PM

If you configure the second static NAT on the new firewall how would you manage which address the user on the VPN connection would use to access the server? I can see that packets from the outside if they use the proper IP address for the server will get to the server ok. But I do not see how you would handle packets that are responses from the server. How do you determine to which firewall to send the response? Overall I see this approach as quite problematic.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
vishnureddy1979
Level 1
Level 1
In response to Richard Burts

‎02-01-2016 07:45 AM

Each customer is connecting to our site is using the peer IP address through Site to Site VPN. My understanding was that once the new customers can terminate VPN connection on to the new Firewall using its peer address, as ASA does the stateful transaction it knows how to forward the return traffic to the client(response from the server). For establishing the session, it has to be initiated from the customer site due to security reasons through Tech support software. 

I was thinking whether i can create a static nat for the same server from New ASA using different public IP and same real IP(same server) as there is already a static entry in the old firewall. Will this cause any network issues? 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to vishnureddy1979

‎02-01-2016 02:59 PM

If this is done as part of site to site VPN and if the static NAT is part of the site to site configuration then that would solve the issue that I raised about how the server would know to which ASA to send response traffic.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
vishnureddy1979
Level 1
Level 1
In response to Richard Burts

‎02-02-2016 11:17 AM

Thanks Richard.

I will gohead and try this and will update here once completed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card