cansib
asked on
Cisco ASA 5510- need 2 NAT statements for 1 internal server...
I have a Cisco ASA 5510 firewall and I use ASA version 8.0(3) and ASDM version 6.1(1). I have a site-to-site vpn tunnel setup with one of our software vendors. The vpn tunnel is so that the vendor can remote into our server for support. The way the vpn tunnel is setup, the internal ip of the server is NAT'd to a private ip for communicating with the vendor. This static NAT is causing this machine to not be able to communicate over the internet since it is translated to that private ip going over the outside interface. I now have a server on the internet that I know the ip address for that this machine needs to be able to send files to over port 22. Can I add another NAT statement that says something like, when this internal server wants to communicate with this outside server (on port 22), then apply the default NAT statement which translate internal ip's to the outside ip (internet ip) of the firewall? Can this be done? Thanks!
Mark
Mark
ASKER
That sounds good, but then don't I have to associate that new access list to a crypto map statement for it to work?
ASKER
ok, here's maybe another issue. This vendor has different support groups, depending on which piece of their software is being supported. So on our side, we have a static NAT to one private ip and several access-list statements for that private ip so it can talk to each network on the vendors side (if that makes sense). So, in your solution, I don't just have one <vendor host or subnet> as unfortunately, they are not all in the same network address. So, can there be multiple access-list statements using the same name (vendor-access) and the one "static (inside,outside)" will work for all? Thanks!
Mark
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great! I will give it a shot and let you know how it goes. Thanks for the help!
Mark
Mark
access-list vendor-access extended permit ip host <real server IP> <vendor host or subnet>
static (inside,outside) <server "outside IP"> access-list vendor-access