Introduction
This document provides a sample configuration for mapping one local IP address to two or more global IP addresses through policy-based static Network Address Translation (NAT) on the PIX/Adaptive Security Appliance (ASA) 7.x software.
Prerequisites
Requirements
Ensure that you meet this requirement before you attempt this configuration:
-
Ensure that you have a working knowledge of the PIX/ASA 7.x CLI and prior experience configuring access-lists and static NAT.
Components Used
The information in this document is based on these software and hardware versions:
-
This specific example uses an ASA 5520. However the policy NAT configurations work on any PIX or ASA appliance that runs 7.x.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
This configuration example has an internal web server at 192.168.100.50, located behind the ASA. The requirement is that the server needs to be accessible to the outside network interface by its internal IP address of 192.168.100.50 and its external address of 172.16.171.125. There is also a security policy requirement that the private IP address of 192.168.100.50 can only be accessed by the 172.16.171.0/24 network. Additionally, Internet Control Message Protocol (ICMP) and port 80 traffic are the only protocols allowed inbound to the internal web server. Since there are two global IP addresses mapped to one local IP address, you need to use policy NAT. Otherwise, the PIX/ASA rejects the two one-to-one statics with an overlapping address error.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup
Configuration
This document uses this configuration.
ciscoasa(config)#show run |