Link to home
Start Free TrialLog in
Avatar of cansib
cansib

asked on

Cisco ASA 5510- need 2 NAT statements for 1 internal server...

I have a Cisco ASA 5510 firewall and I use ASA version 8.0(3) and ASDM version 6.1(1).  I have a site-to-site vpn tunnel setup with one of our software vendors.  The vpn tunnel is so that the vendor can remote into our server for support.  The way the vpn tunnel is setup, the internal ip of the server is NAT'd to a private ip for communicating with the vendor.  This static NAT is causing this machine to not be able to communicate over the internet since it is translated to that private ip going over the outside interface.  I now have a server on the internet that I know the ip address for that this machine needs to be able to send files to over port 22.  Can I add another NAT statement that says something like, when this internal server wants to communicate with this outside server (on port 22), then apply the default NAT statement which translate internal ip's to the outside ip (internet ip) of the firewall?  Can this be done?  Thanks!

Mark
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
You can add an access-list to the static statement which specifies to only translate to the private IP when talking with the vendor.

access-list vendor-access extended permit ip host <real server IP> <vendor host or subnet>

static (inside,outside) <server "outside IP"> access-list vendor-access
Avatar of cansib
cansib

ASKER

That sounds good, but then don't I have to associate that new access list to a crypto map statement for it to work?
Avatar of cansib
cansib

ASKER

ok, here's maybe another issue.  This vendor has different support groups, depending on which piece of their software is being supported.  So on our side, we have a static NAT to one private ip and several access-list statements for that private ip so it can talk to each network on the vendors side (if that makes sense).  So, in your solution, I don't just have one <vendor host or subnet> as unfortunately, they are not all in the same network address.  So, can there be multiple access-list statements using the same name (vendor-access) and the one "static (inside,outside)" will work for all?  Thanks!

Mark
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cansib
cansib

ASKER

Great!  I will give it a shot and let you know how it goes.  Thanks for the help!

Mark