Trying to setup NAT from 2 outside IPs to the same private IP
Solution 1
You won't be able to use static PAT for this as you would break the 1:1 mapping rule. Firewall has to know what mapping to use in both directions - both in->out and out->in. In your case if 192.168.0.200 originated connection from port 25 firewall would not know which global IP to use. In other words, it's not possible this way.
Easiest solution would be to assign additional IP address on the internal device and keep the NATs clean. Let's say you assign additional IP of 192.168.0.201. Configuration would be:
static (inside,outside) tcp 10.0.0.1 25 192.168.0.200 25
static (inside,outside) tcp 10.0.0.3 25 192.168.0.201 25
Solution 2
First you will need to upgrade to ASA post-8.3. Create and object network with the range of IPs for the public. Then create an object network for the inside/real IP address of the server. Then add a nat statement calling the first object.
!
object network outside_email
range 10.10.10.1 10.10.10.2
!
!
object network inside_email
host 192.168.0.200
nat (inside,outside) static outside_email
Solution 3
With IOS 8.2 or bellow:
access-list SMTP-Services extended permit ip host 192.168.0.200 host 10.10.10.1
access-list SMTP-Services2 extended permit ip host 192.168.0.200 host 10.10.10.3
static (InternalInterface,ExternalInterface) 10.10.10.1 access-list SMTP-Services
static (InternalInterface,ExternalInterface) 10.10.10.3 access-list SMTP-Services2
Sorry, I had understood the exact opposite of what you wanted to do.
Don't forget to add an access-list on your External Interface.
access-list _outside-in_ extended permit tcp host 10.10.10.1 host _YourExternalIP_ eq smtp
access-list _outside-in_ extended permit tcp host 10.10.10.3 host _YourExternalIP_ eq smtp
Related videos on Youtube
13 : 35
09 : 40
07 : 11
15 : 02
02 : 24
Keith
Updated on September 18, 2022Comments
-
Keith over 1 year
Cisco ASA 5510 I currently have a NAT for SMTP on one outside IP to an internal IP. I need to setup 2 external IPs to NAT to the same IP internally. How can I do that? ex: 10.10.10.1 25 --> 192.168.0.200 25 10.10.10.3 25 --> 192.168.0.200 25
-
kralyk over 11 yearsWhat external IP do you want the internal one to respond with through the firewall? Are you needing PAT? Expound on what you are trying to accomplish (multiple ISPs, separating apps, etc.).
-
1.618 over 11 yearsCould you elaborate on why you want to do this? It would be easier to multi-home your SMTP server and create a 1-to-1 nat for each of its two addresses... -
Keith over 11 yearsOne outside IP currently points to spam filter and another IP points to Exchange. I want both IPs to point to spam filter. I just changed providers and firewalls. My old firewall allowed this function and wasn't changing the setup really, unless I have to.
-
-
Exzlanttt over 11 yearsThere are two things, one I made a slight mistake (see edit) you need two different access-lists. Also, I think you are mixing up the IPs. When you do a static you have to make it as if your local IP wanted to NAT going outside. Since it's a static NAT, when the external IP hits your ASA, it will translate it to the local IP.
-
Exzlanttt over 11 yearsIt would also help to know what version of IOS you are running with a
show versionbecause between IOS 8.2 and IOS 8.3, NAT configuration has change a lot.
