Solved: Multiple Public IP's to one private address.

grobinson23 · ‎09-07-2011

Hello all!

We're getting ready to implement BGP with dual ISP's, and we have to change our public subnet to a /24 subnet. The question one of our developers asked was, "can we have the old IP address still point to the web server along with the new one?"

ISP <--->[Edge Router] <--->[ASA Firewall]<--->[L3 Switch]<--->[LAN]<--->[Webserver]

The old IP won't be tied to an interface.

If I could wave my magic wand, I'd set up two static entries on the ASA for each public address to the same private address. Because our Webservers are clustered, it would be a bit of a cluster to try and accomplish this using PAT. I'm wanting a simple one to one solution, and that isn't possible on the ASA.

I then thought that the edge router could have the old public address simply translate to the existing public IP on the ASA. Looking at how NAT is set up, it seems pretty straightforward. However, it's the end of the day, I'm tired, and I'm not going to absorb new information at this point.

Is the above scenario feasible using outside and inside nat statements on the edge router, or am I way off base here?

Thanks!

Grant

Jon Marshall · ‎09-08-2011

Grant

The problem with your setup is that static NAT is bidirectional so if a client on the internet connects to 101.101.101.101 when the return traffic gets to your ISP router that address is changed to 100.100.100.100 and then sent out to the internet.

Try this setup on the ASA -

assuming the real IP address of your server is 192.168.5.10

access-list pnat1 permit ip host 192.168.5.10 any

access-list pnat2 permit ip host 192.168.5.10 any

static (inside,outside) 100.100.100.100 access-list pnat1

static (inside,outside) 101.101.101.101 access-list pnat2

** Edit - obviously remove the NAT config from the router as well

Jon

View solution in original post

Marwan ALshawi · ‎09-07-2011

If your ISP still routed to you even if it not configured on the physical interface with static nat you get it working

HTH

If helpful rate

Sent from Cisco Technical Support iPhone App

grobinson23 · ‎09-08-2011

When I create the static inside translation from the old IP (100.100.100.100) to the new one that has a translation on the firewall (101.101.101.101) [ip nat inside static 101.101.101.101 100.100.100.100) I lose the ability to communicate with the new address. Communication through the old one works great. I know I'm missing something here. What am I missing?

Thanks!

Jon Marshall · ‎09-08-2011

Grant

The problem with your setup is that static NAT is bidirectional so if a client on the internet connects to 101.101.101.101 when the return traffic gets to your ISP router that address is changed to 100.100.100.100 and then sent out to the internet.

Try this setup on the ASA -

assuming the real IP address of your server is 192.168.5.10

access-list pnat1 permit ip host 192.168.5.10 any

access-list pnat2 permit ip host 192.168.5.10 any

static (inside,outside) 100.100.100.100 access-list pnat1

static (inside,outside) 101.101.101.101 access-list pnat2

** Edit - obviously remove the NAT config from the router as well

Jon

grobinson23 · ‎09-12-2011

That did the trick!

Thank you very much!

dagrinya01 · ‎03-04-2014

Hello Jon,

How can I achieve two Public IPs to one local IP with the following setup":

----------------------------

And the NAT is on the Edge Router (Cisco 3900 Series)?

Would really appreciate this.

Declan