I have recently come across a fairly simple task, that as decidedly difficult to figure out how to implement on the Cisco ASA, multiple external IPs NAT'd to a single internal IP.
A google search will bring up several forums in which the consensus is that it can't be done:
"There is no way the device would allow you to have 2 public ip to point to the same internalip."
That's not correct, sadly if you call tier 1 Cisco support they will give you the same answer. The issue is how the ASA performs various NATs:
static - This is a bi-directional NAT that is used for traffic to the host and from the host
static (inside,outside) public-ip internal-ip netmask 255.255.255.255
nat (pat) - This is for traffic FROM the host only, traffic cannot be initiated TO the NAT IP
nat (inside) 1 inside-ip
global (outside) 1 outside-ip
The issue is that the static is bi-directional, so the ASA will not let you add two statics since this would cause a conflict for outgoing traffic.
Now, I refused to accept the answer "it can't be done"...I refuse to believe that Checkpoint..the peak of early 90's technology can do this..yet the ASA cannot. So I escalated.
I was right it can be done, and here is how:
Given two Public IPs: 200.100.30.40 & 200.100.30.41
Given one Private IP: 10.10.10.1
First, you create an ACL for each NAT:
access-list nat1 extended permit ip host 10.10.10.1 any
access-list nat2 extended permit ip host 10.10.10.1 any
Now you create that static NAT statement:
static (inside, outside) 200.100.30.40 access-list nat1
static (inside, outside) 200.100.30.41 access-list nat2
NOTE: Traffic generated FROM the inside will always get NAT'd to the first static entry.
You can verify by doing a show xlate:
Global 200.100.30.41 Local 10.10.10.1
Global 200.100.30.40 Local 10.10.10.1
Showing posts with label cisco nat multiple external single internal ip. Show all posts
Showing posts with label cisco nat multiple external single internal ip. Show all posts
Wednesday, January 20, 2010
Subscribe to:
Posts (Atom)
