09-07-2011 02:43 PM - edited 03-04-2019 01:32 PM
Hello all!
We're getting ready to implement BGP with dual ISP's, and we have to change our public subnet to a /24 subnet. The question one of our developers asked was, "can we have the old IP address still point to the web server along with the new one?"
ISP <--->[Edge Router] <--->[ASA Firewall]<--->[L3 Switch]<--->[LAN]<--->[Webserver]
The old IP won't be tied to an interface.
If I could wave my magic wand, I'd set up two static entries on the ASA for each public address to the same private address. Because our Webservers are clustered, it would be a bit of a cluster to try and accomplish this using PAT. I'm wanting a simple one to one solution, and that isn't possible on the ASA.
I then thought that the edge router could have the old public address simply translate to the existing public IP on the ASA. Looking at how NAT is set up, it seems pretty straightforward. However, it's the end of the day, I'm tired, and I'm not going to absorb new information at this point.
Is the above scenario feasible using outside and inside nat statements on the edge router, or am I way off base here?
Thanks!
Grant
Solved! Go to Solution.
09-08-2011 12:43 PM
Grant
The problem with your setup is that static NAT is bidirectional so if a client on the internet connects to 101.101.101.101 when the return traffic gets to your ISP router that address is changed to 100.100.100.100 and then sent out to the internet.
Try this setup on the ASA -
assuming the real IP address of your server is 192.168.5.10
access-list pnat1 permit ip host 192.168.5.10 any
access-list pnat2 permit ip host 192.168.5.10 any
static (inside,outside) 100.100.100.100 access-list pnat1
static (inside,outside) 101.101.101.101 access-list pnat2
** Edit - obviously remove the NAT config from the router as well
Jon
09-07-2011 03:31 PM
If your ISP still routed to you even if it not configured on the physical interface with static nat you get it working
HTH
If helpful rate
Sent from Cisco Technical Support iPhone App
09-08-2011 08:03 AM
When I create the static inside translation from the old IP (100.100.100.100) to the new one that has a translation on the firewall (101.101.101.101) [ip nat inside static 101.101.101.101 100.100.100.100) I lose the ability to communicate with the new address. Communication through the old one works great. I know I'm missing something here. What am I missing?
Thanks!
09-08-2011 12:43 PM
Grant
The problem with your setup is that static NAT is bidirectional so if a client on the internet connects to 101.101.101.101 when the return traffic gets to your ISP router that address is changed to 100.100.100.100 and then sent out to the internet.
Try this setup on the ASA -
assuming the real IP address of your server is 192.168.5.10
access-list pnat1 permit ip host 192.168.5.10 any
access-list pnat2 permit ip host 192.168.5.10 any
static (inside,outside) 100.100.100.100 access-list pnat1
static (inside,outside) 101.101.101.101 access-list pnat2
** Edit - obviously remove the NAT config from the router as well
Jon
09-12-2011 07:41 AM
That did the trick!
Thank you very much!
03-04-2014 11:45 AM
Hello Jon,
How can I achieve two Public IPs to one local IP with the following setup":
And the NAT is on the Edge Router (Cisco 3900 Series)?
Would really appreciate this.
Declan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide