I have recently come across a fairly simple task, that as decidedly difficult to figure out how to implement on the Cisco ASA, multiple external IPs NAT'd to a single internal IP.
A google search will bring up several forums in which the consensus is that it can't be done:
"There is no way the device would allow you to have 2 public ip to point to the same internalip."
That's not correct, sadly if you call tier 1 Cisco support they will give you the same answer. The issue is how the ASA performs various NATs:
static - This is a bi-directional NAT that is used for traffic to the host and from the host
static (inside,outside) public-ip internal-ip netmask 255.255.255.255
nat (pat) - This is for traffic FROM the host only, traffic cannot be initiated TO the NAT IP
nat (inside) 1 inside-ip
global (outside) 1 outside-ip
The issue is that the static is bi-directional, so the ASA will not let you add two statics since this would cause a conflict for outgoing traffic.
Now, I refused to accept the answer "it can't be done"...I refuse to believe that Checkpoint..the peak of early 90's technology can do this..yet the ASA cannot. So I escalated.
I was right it can be done, and here is how:
Given two Public IPs: 200.100.30.40 & 200.100.30.41
Given one Private IP: 10.10.10.1
First, you create an ACL for each NAT:
access-list nat1 extended permit ip host 10.10.10.1 any
access-list nat2 extended permit ip host 10.10.10.1 any
Now you create that static NAT statement:
static (inside, outside) 200.100.30.40 access-list nat1
static (inside, outside) 200.100.30.41 access-list nat2
NOTE: Traffic generated FROM the inside will always get NAT'd to the first static entry.
You can verify by doing a show xlate:
Global 200.100.30.41 Local 10.10.10.1
Global 200.100.30.40 Local 10.10.10.1
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment