Trying to setup NAT from 2 outside IPs to the same private IP

Question

Cisco ASA 5510 I currently have a NAT for SMTP on one outside IP to an internal IP. I need to setup 2 external IPs to NAT to the same IP internally. How can I do that? ex: 10.10.10.1 25 --> 192.168.0.200 25 10.10.10.3 25 --> 192.168.0.200 25

score 5 · Accepted Answer · answered Dec 21 '12 at 10:45

You won't be able to use static PAT for this as you would break the 1:1 mapping rule. Firewall has to know what mapping to use in both directions - both in->out and out->in. In your case if 192.168.0.200 originated connection from port 25 firewall would not know which global IP to use. In other words, it's not possible this way.

Easiest solution would be to assign additional IP address on the internal device and keep the NATs clean. Let's say you assign additional IP of 192.168.0.201. Configuration would be:

static (inside,outside) tcp 10.0.0.1 25 192.168.0.200 25
static (inside,outside) tcp 10.0.0.3 25 192.168.0.201 25

Alex · Answer 2 · 2012-12-21T04:05:42.097

With IOS 8.2 or bellow:

access-list SMTP-Services extended permit ip host 192.168.0.200 host 10.10.10.1
access-list SMTP-Services2 extended permit ip host 192.168.0.200 host 10.10.10.3

static (InternalInterface,ExternalInterface) 10.10.10.1 access-list SMTP-Services
static (InternalInterface,ExternalInterface) 10.10.10.3 access-list SMTP-Services2

Sorry, I had understood the exact opposite of what you wanted to do.

Don't forget to add an access-list on your External Interface.

access-list _outside-in_ extended permit tcp host 10.10.10.1 host _YourExternalIP_ eq smtp
access-list _outside-in_ extended permit tcp host 10.10.10.3 host _YourExternalIP_ eq smtp

score 1 · Answer 3 · edited Apr 30 '13 at 19:37

First you will need to upgrade to ASA post-8.3. Create and object network with the range of IPs for the public. Then create an object network for the inside/real IP address of the server. Then add a nat statement calling the first object.

!
object network outside_email
 range 10.10.10.1 10.10.10.2

!
!
object network inside_email
 host 192.168.0.200
 nat (inside,outside) static outside_email

score 0 · Answer 4 · edited Apr 13 '17 at 12:57

0

There is this same quesiton on another Stack Exchange site here. This works because the protocol, source ip, destination ip and port are all part of the key for this 1:1 mapping. It's also a great technique for network resilience if BGP is out of grasp.

edited Apr 13 '17 at 12:57

Community

1

answered Sep 22 '15 at 22:49

Nate Zaugg

123

Trying to setup NAT from 2 outside IPs to the same private IP

4 Answers4