I try to map 2 public IP to 1 Private (DMZ) using ASDM.
e.g. 209.x.x.128 and 209.x.x.129 both map to 192.168.x.3
What i tried to do is set 2 PAT and 2 Access Rules by ASDM
I set up one PAT for 209.x.x.128 -> 192.168.x.3 I set up one Access Rules for incomping 209.x.x.128 -> 192.168.x.3 for port 80, let say.
but ASDM doesn't allow me to setup another PAT for 209.x.x.129 ->
192.168.x.3
Furthermore, could I map/NAT/PAT different port of 1 public IP (e.g. DNS, Web) to different private IP (2 physical servers, DNS server and Web server )
Hmm.. any hints how could I do it by ASDM or command line?
What you have described above this point is NAT (Network Address Translation), without PAT (Port Address Translation.)
access-group applied to an an interface does not affect network address translation.
ASA (and PIX) seperate the sequence into two parts:
1) an address translation (roughly "Which address combination would get through to which internal destinations, if the access controls allowed the packets to proceed); and
2) access controls (roughly "What accesses are permitted to be tried, if there is a valid address translation for the access?".
You need to satisfy -both- parts to gain access, and you are having problems with the address translation part.
This is tied closely with the above topic.
What the ASA (and PIX) need are rules that unambiguously translates addresses and ports. It is, for example, completely valid on either device to configure, "When -any- outside device attempts to contact IP X on port Y, then send the request to port C of IP B, but when -any- outside device attempts to contact IP X on port Z, then send the request to port E of IP D. In this example, the internal destination address is decideable by looking mechanically at the public destination address, the protocol, and the destination port.
In what you described first, you did not mention any way that the ASA would be able to mechanically detemrine which was the real destination host/port.
In your follow-up question, you *would* be selecting based upon port, and Yes, that's no problem.
The selection criteria can be relatively complex: for example, it could depend upon the exact source address and source port, as well as the destination IP and port.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.