Cisco ASA version 8.4 NAT question

hello Experts
there is a host 10.1.1.10 from my inside network, i have configure a static nat map a public IP 203.94.35.4 with it, and configure  some ACL so that access from internet to 203.94.35.4 is available.
at the same time if 10.1.1.10 access to internet is using 203.94.35.4.
i am also have a pool defined, i want if 10.1.1.10 access to internet via the pool, and if access to 203.94.35.4 from internet also available.
my question is does this possible and if yes how i configure it?

thanks
beardog1113Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob VargasSecurity AnalystCommented:
I think you're confusing two different questions.

there is a host 10.1.1.10 from my inside network, i have configure a static nat map a public IP 203.94.35.4 with it, and configure  some ACL so that access from internet to 203.94.35.4 is available.
at the same time if 10.1.1.10 access to internet is using 203.94.35.4.

You can do this, yes.  It sounds like you want people to go to 203.94.35.4 and your ASA NAT's that to 10.1.1.10.  Take a look at this link from Cisco for additional information.
0
beardog1113Author Commented:
sorry maybe i am not describe my question clearly.
i have configure static map between 10.1.1.10 and 203.94.35.4, if i access internet from this machine, it is using 203.94.35.4, for example if i open www.dnsstuff.com, it will tell me my public IP address is 203.94.35.4, my question is i want 10.1.1.10 access to internet via other public IP address which defined as a IP pool, also i want static mapping works well, for example ping 203.94.35.4 from internet, 10.1.1.10 response the icmp.

does it possible?
thanks
0
rauenpcCommented:
Well, you could indeed get a response from 203.94.35.4 if you were to ping it assuming the correct rules are setup on the firewall to allow icmp, however, if you want to see a source address of 10.1.1.10 over the internet, that will not work. You could the device who's real IP is 10.1.1.10, but across the internet it will always appear to outside devices as the public ip 203.94.35.4.

I'll take a different angle on your question as I'm having difficulty understanding what you're truly asking. If you want inbound traffic for specific services to access 10.1.1.10 via public IP 203.94.35.4, and when 10.1.1.10 initiates outbound internet traffic to use a different public IP via a public IP pool, this can also be done. You would define static PAT (also known as port forwarding) for specific port numbers to 10.1.1.10. You would also define a pat pool and that would be used for outbound.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

beardog1113Author Commented:
hello rauenpc
since you think that is possible, could you show me the commands about this?
my ASA version is 8.4.

thank you
0
rauenpcCommented:
I had two interpretations above. Which one do you want to see commands for?
0
beardog1113Author Commented:
ok, my question is does it possible configure "two" at the same time?
thanks
0
rauenpcCommented:
If you only needed HTTPS accessible from the outside, and wanted an outgoing pat pool ranging from 203.94.35.5 to 203.94.35.10 to be used by 10.1.1.0/24

object network INSIDEHOST-HTTPS
host 10.1.1.10
nat (inside,outside) static 203.94.35.4 service tcp https https

object network nat-pool
range 203.94.35.5 203.94.35.10

object network SUBNET-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic nat-pool interface


You only need the "interface" keyword if you want to use PAT/overloading as a fallback when all the IP's in the nat pool are used up. Also, you will need to configure your ACL's appropriately.
0
beardog1113Author Commented:
hi rauenpc
the last question, if i am using your configuration, when 10.1.1.10 access to internet, for example from it ping to internet, the mapped address will being translate to 203.94.35.4 or not?  or translate to one of public IP address which in the pool(203.94.35.5 - 203.94.35.10)?

thank you
0
Rob VargasSecurity AnalystCommented:
rauenpc will confirm, but the static NAT should work to NAT all outbound traffic via 203.94.35.4
0
rauenpcCommented:
The way I have the configuration written from the previous post, only HTTPS traffic would use the 203.94.35.4 address. All other traffic would use the pool, including if 10.1.1.10 were to ping to the internet. To get additional traffic to nat to the .4 address you would just need to add additional static PAT's for any services you also need to allow.
If you want 10.1.1.10 to always come from the .4 address no matter that traffic is being used, then we would need to set a static NAT, and not a static PAT. You would still be able to use the nat pool for all other inside hosts. To do the static NAT, you would remove "service tcp https https" from the nat line in the previous post.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
beardog1113Author Commented:
thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.