Re: Cisco ASA Nat options

Abhijith3 · ‎01-28-2019

Hi All,

I would need a help with nat. We have a load balancer in the dmz zone and back end server in the inside zone. We have a dmz VIP of 192.x.x.x and should be nated to a public IP of 125.x.x.x, so I can create a one to one static nat with dmz as source and outside as the destination.

However, the mail server also need to communicate outside and it has an IP of 10.x.x.x., so while going out it should also be nated to the same public IP of 125.x.x.x. In this scenario, I don't think the 2 static nats would work right ? could someone help me with this situation ?

balaji.bandi · ‎01-28-2019

As long as you have routing setup corretly, this is possible. but we would like to know the what ports you are using here.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Abhijith3 · ‎01-29-2019

Thanks for the reply Balaji, the port is 25 across all.LB VIP is on port 25, so is the backend server.

Georg Pauwen · ‎01-29-2019

Hello,

I don't think it is possible with only one public IP address to map two private addresses to the same port. Can you use another port on any of the two servers ?

Abhijith3 · ‎01-29-2019

Hi Georg, I can try and use a different port on the LB VIP may be. If that's the case, will the static nats work ?

Georg Pauwen · ‎01-29-2019

Hello,

just create two static NAT entries, with each one mapped to a different port:

object network obj_192.x.x.x
host 192.x.x.x
nat (inside,outside) static <-External IP Address-> service tcp 25 25

!

object network obj_10.x.x.x
host 10.x.x.x
nat (inside,outside) static <-External IP Address-> service tcp 101 101