PIX/ASA 7.x: Translate Multiple Global IP Addresses to a Single Local IP Address using Static Policy NAT

Introduction

This document provides a sample configuration for mapping one local IP address to two or more global IP addresses through policy-based static Network Address Translation (NAT) on the PIX/Adaptive Security Appliance (ASA) 7.x software.

Prerequisites

Requirements

Ensure that you meet this requirement before you attempt this configuration:

  • Ensure that you have a working knowledge of the PIX/ASA 7.x CLI and prior experience configuring access-lists and static NAT.

Components Used

The information in this document is based on these software and hardware versions:

  • This specific example uses an ASA 5520. However the policy NAT configurations work on any PIX or ASA appliance that runs 7.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

This configuration example has an internal web server at 192.168.100.50, located behind the ASA. The requirement is that the server needs to be accessible to the outside network interface by its internal IP address of 192.168.100.50 and its external address of 172.16.171.125. There is also a security policy requirement that the private IP address of 192.168.100.50 can only be accessed by the 172.16.171.0/24 network. Additionally, Internet Control Message Protocol (ICMP) and port 80 traffic are the only protocols allowed inbound to the internal web server. Since there are two global IP addresses mapped to one local IP address, you need to use policy NAT. Otherwise, the PIX/ASA rejects the two one-to-one statics with an overlapping address error.

Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup

pixasa-multi-ip-single-ip-1.gif

Configuration

This document uses this configuration.

ciscoasa(config)#show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.171.124 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive



!--- policy_nat_web1 and policy_nat_web2 are two access-lists that match the source
!--- address we want to translate on. Two access-lists are required, though they
!--- can be exactly the same.


access-list policy_nat_web1 extended permit ip host 192.168.100.50 any
access-list policy_nat_web2 extended permit ip host 192.168.100.50 any



!--- The inbound_outside access-list defines the security policy, as previously described.
!--- This access-list is applied inbound to the outside interface.


access-list inbound_outside extended permit tcp 172.16.171.0 255.255.255.0
host 192.168.100.50 eq www
access-list inbound_outside extended permit icmp 172.16.171.0 255.255.255.0
host 192.168.100.50 echo-reply
access-list inbound_outside extended permit icmp 172.16.171.0 255.255.255.0
host 192.168.100.50 echo
access-list inbound_outside extended permit tcp any host 172.16.171.125 eq www
access-list inbound_outside extended permit icmp any host 172.16.171.125 echo-reply
access-list inbound_outside extended permit icmp any host 172.16.171.125 echo
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400


!--- This first static allows users to reach the translated global IP address of the
!--- web server. Since this static appears first in the configuration, for connections
!--- initiated outbound from the internal web server, the ASA translates the source
!--- address to 172.16.171.125.


static (inside,outside) 172.16.171.125 access-list polic