04-25-2012 05:09 AM - edited 03-11-2019 03:58 PM
Hi All,
I have a query regarding static policy NAT within the following scenario -
I have the following simulated setup -
If each server translates from inside the firewall to outside the firewall as the same /32 address (PAT) they will all have internet access as the same public IP address. I then want to publish services from CUS1-SRV#1 to CUS1-SITE#1 and CUS2-SRV#1 to CUS2-SITE#1. So basically, publish each customers server services to their specific remote site.
I am aware that policy NAT exists and I can perform a NAT based on destination but what i would like to be able to do is the perform a sort of reverse remote site source address translation. CUS1-SITE#1 targets the public /32 address of the server and is then translated to the correct server internally for that customer (192.168.1.1). Is this at all possible?
Thanks
Nick
04-25-2012 05:30 AM
Hi,
What software are you running software are you running on the ASA?
Are you going to publish services with the same port like TCP/80 for each server?
- Jouni
04-25-2012 05:33 AM
Jouni, thanks for the prompt response.
The software can be any version 8 IOS.
Each customer server will publish the same services such as - WWW (80), SMTP (25), RRAS (1723), RDP (3389) etc.
04-25-2012 05:44 AM
Hi,
This is something I have to test to able to answer it.
I mean its not a good idea in the first place to start providing services to public network with a single IP address. Would be good to have a small network of public IP addresses from the ISP.
What I am wondering is the fact that if we in this case know the source address of each host connecting to the servers, can we forward the same ports to different hosts since our NAT configuration would still state the different source address for each configuration.
I could probably test this at my own ASA later.
I got to say though that would be best to have a small /29 public network atleast from the ISP so you could dedicate a single public IP for each server. I'd imagine it would make your life easier in the log run.
I will check this thing out later today unless someone else gives an answer
- Jouni
04-25-2012 05:49 AM
Thanks again Jouni, it is much appreciated.
I realise having a /29 range of public addresses would allow me to support further customers by performing one to one static mapping of addresses for each customer server. This was more of a "Can this be done?" question. Luckily, I am not actually in this situation
Thanks
Nick
04-25-2012 05:53 AM
Ok,
Might still test this just to see if it is possible. First gut feeling would be that its impossible to forward the same ports to different hosts. Unless you used a different mapped port for each customer. Which would probably cause more problems
- Jouni
04-25-2012 06:14 AM
I would tend to agree, im just extremely curious as to the process of the ASA for this.
For example, if i configured the following -
access-list external_nat permit tcp 1.1.1.1 0.0.0.255 host 192.168.1.1 eq http
access-list external_nat permit tcp 1.1.1.1 0.0.0.255 eq http "/32 public IP"
static (outside,inside) 192.168.1.1 access-list external_nat
Would the ASA then NAT packets from 1.1.1.1/24 to 192.168.1.1 when the destination port is http and the source port is http to the public /32 ip address
I realise the source port is unlikely to be http but just for example purposes??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide