Multiple Public IP to 1 Private IP (DMZ), ASA 5510

I'm playing with our new ASA 5510

I try to map 2 public IP to 1 Private (DMZ) using ASDM.

e.g. 209.x.x.128 and 209.x.x.129 both map to 192.168.x.3

What i tried to do is set 2 PAT and 2 Access Rules by ASDM

I set up one PAT for 209.x.x.128 -> 192.168.x.3
I set up one Access Rules for incomping 209.x.x.128 -> 192.168.x.3 for
port 80, let say.

but ASDM doesn't allow me to setup another PAT for 209.x.x.129 ->
192.168.x.3

Furthermore, could I map/NAT/PAT different port of 1 public IP (e.g.
DNS, Web) to different private IP (2 physical servers, DNS server and
Web server )

Hmm.. any hints how could I do it by ASDM or command line?

Thanks

 

What you have described above this point is NAT (Network Address
Translation), without PAT (Port Address Translation.)

access-group applied to an an interface does not affect network
address translation.

ASA (and PIX) seperate the sequence into two parts:
1) an address translation (roughly "Which address combination
would get through to which internal destinations, if the access
controls allowed the packets to proceed); and
2) access controls (roughly "What accesses are permitted to
be tried, if there is a valid address translation for the access?".

You need to satisfy -both- parts to gain access, and you are having
problems with the address translation part.

This is tied closely with the above topic.

What the ASA (and PIX) need are rules that unambiguously
translates addresses and ports. It is, for example, completely
valid on either device to configure, "When -any- outside device
attempts to contact IP X on port Y, then send the request to
port C of IP B, but when -any- outside device attempts to
contact IP X on port Z, then send the request to port E of IP D.
In this example, the internal destination address is decideable by
looking mechanically at the public destination address,
the protocol, and the destination port.

In what you described first, you did not mention any way that
the ASA would be able to mechanically detemrine which was
the real destination host/port.

In your follow-up question, you *would* be selecting based
upon port, and Yes, that's no problem.

The selection criteria can be relatively complex: for example,
it could depend upon the exact source address and source port,
as well as the destination IP and port.

 

Thanks for your response and I think I understand what you mean since I
can configure Linux Iptable to do what I want.

I'm just don't know how to use ASDM to specify the detail NAT rules,
let say for IP A Port P (public) to IP X port Z (DMZ).

I only could do IP A to IP X + Access rule, and I can get the web
server works in DMZ, for public.

I believe I need to use policy NAT to specify the source/dest of
IP/ports.. Hmm..

If any one has links of doc or example that I could follow would be
good..

Thanks.

 

Sorry, I don't know that either. I have not had access to a PIX 7
or ASA, and I seldom used PDM on PIX 6. It's fairly easy from the CLI.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1540284