Multiple Public IP to 1 Private IP (DMZ), ASA 5510

Discussion in 'Cisco' started by Cityexplorer, Aug 1, 2006.

  1. Cityexplorer

    Cityexplorer Guest

    I'm playing with our new ASA 5510

    I try to map 2 public IP to 1 Private (DMZ) using ASDM.

    e.g. 209.x.x.128 and 209.x.x.129 both map to 192.168.x.3

    What i tried to do is set 2 PAT and 2 Access Rules by ASDM

    I set up one PAT for 209.x.x.128 -> 192.168.x.3
    I set up one Access Rules for incomping 209.x.x.128 -> 192.168.x.3 for
    port 80, let say.

    but ASDM doesn't allow me to setup another PAT for 209.x.x.129 ->

    Furthermore, could I map/NAT/PAT different port of 1 public IP (e.g.
    DNS, Web) to different private IP (2 physical servers, DNS server and
    Web server )

    Hmm.. any hints how could I do it by ASDM or command line?

    Cityexplorer, Aug 1, 2006
    1. Advertisements

  2. What you have described above this point is NAT (Network Address
    Translation), without PAT (Port Address Translation.)
    access-group applied to an an interface does not affect network
    address translation.

    ASA (and PIX) seperate the sequence into two parts:
    1) an address translation (roughly "Which address combination
    would get through to which internal destinations, if the access
    controls allowed the packets to proceed); and
    2) access controls (roughly "What accesses are permitted to
    be tried, if there is a valid address translation for the access?".

    You need to satisfy -both- parts to gain access, and you are having
    problems with the address translation part.

    This is tied closely with the above topic.

    What the ASA (and PIX) need are rules that unambiguously
    translates addresses and ports. It is, for example, completely
    valid on either device to configure, "When -any- outside device
    attempts to contact IP X on port Y, then send the request to
    port C of IP B, but when -any- outside device attempts to
    contact IP X on port Z, then send the request to port E of IP D.
    In this example, the internal destination address is decideable by
    looking mechanically at the public destination address,
    the protocol, and the destination port.

    In what you described first, you did not mention any way that
    the ASA would be able to mechanically detemrine which was
    the real destination host/port.

    In your follow-up question, you *would* be selecting based
    upon port, and Yes, that's no problem.

    The selection criteria can be relatively complex: for example,
    it could depend upon the exact source address and source port,
    as well as the destination IP and port.
    Walter Roberson, Aug 1, 2006
    1. Advertisements

  3. Cityexplorer

    Cityexplorer Guest

    Thanks for your response and I think I understand what you mean since I
    can configure Linux Iptable to do what I want.

    I'm just don't know how to use ASDM to specify the detail NAT rules,
    let say for IP A Port P (public) to IP X port Z (DMZ).

    I only could do IP A to IP X + Access rule, and I can get the web
    server works in DMZ, for public.

    I believe I need to use policy NAT to specify the source/dest of
    IP/ports.. Hmm..

    If any one has links of doc or example that I could follow would be

    Cityexplorer, Aug 1, 2006
  4. Walter Roberson, Aug 1, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.