Multiple Public IP to 1 Private IP (DMZ), ASA 5510

I'm playing with our new ASA 5510

I try to map 2 public IP to 1 Private (DMZ) using ASDM.

e.g. 209.x.x.128 and 209.x.x.129 both map to 192.168.x.3

What i tried to do is set 2 PAT and 2 Access Rules by ASDM

I set up one PAT for 209.x.x.128 -> 192.168.x.3 I set up one Access Rules for incomping 209.x.x.128 -> 192.168.x.3 for port 80, let say.

but ASDM doesn't allow me to setup another PAT for 209.x.x.129 ->


Furthermore, could I map/NAT/PAT different port of 1 public IP (e.g. DNS, Web) to different private IP (2 physical servers, DNS server and Web server )

Hmm.. any hints how could I do it by ASDM or command line?


Reply to
Loading thread data ...

What you have described above this point is NAT (Network Address Translation), without PAT (Port Address Translation.)

access-group applied to an an interface does not affect network address translation.

ASA (and PIX) seperate the sequence into two parts:

1) an address translation (roughly "Which address combination would get through to which internal destinations, if the access controls allowed the packets to proceed); and 2) access controls (roughly "What accesses are permitted to be tried, if there is a valid address translation for the access?".

You need to satisfy -both- parts to gain access, and you are having problems with the address translation part.

This is tied closely with the above topic.

What the ASA (and PIX) need are rules that unambiguously translates addresses and ports. It is, for example, completely valid on either device to configure, "When -any- outside device attempts to contact IP X on port Y, then send the request to port C of IP B, but when -any- outside device attempts to contact IP X on port Z, then send the request to port E of IP D. In this example, the internal destination address is decideable by looking mechanically at the public destination address, the protocol, and the destination port.

In what you described first, you did not mention any way that the ASA would be able to mechanically detemrine which was the real destination host/port.

In your follow-up question, you *would* be selecting based upon port, and Yes, that's no problem.

The selection criteria can be relatively complex: for example, it could depend upon the exact source address and source port, as well as the destination IP and port.

Reply to
Walter Roberson

Thanks for your response and I think I understand what you mean since I can configure Linux Iptable to do what I want.

I'm just don't know how to use ASDM to specify the detail NAT rules, let say for IP A Port P (public) to IP X port Z (DMZ).

I only could do IP A to IP X + Access rule, and I can get the web server works in DMZ, for public.

I believe I need to use policy NAT to specify the source/dest of IP/ports.. Hmm..

If any one has links of doc or example that I could follow would be good..


Walter Robers> > >I'm playing with our new ASA 5510

Reply to

Sorry, I don't know that either. I have not had access to a PIX 7 or ASA, and I seldom used PDM on PIX 6. It's fairly easy from the CLI.

formatting link

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.