ASA 5505 NAT traffic coming in from the VPN from one LAN ip to another

We have an ASA 5505.  We have a server at a remote site printing to a printer on the LAN across the VPN.  It is printing fine however due to limitations in the software I need 2 different printer IP addresses on the LAN in order to print all document types.  Rather than have 2 printers I would like to use the ASA5505 to NAT a 2nd IP address over to the same printer thereby making the server on the remote LAN believe there are 2 printers at different IP addresses however in actuality there is just the one printer.

On the asa I created a static NAT rule on the inside interface and entered the ip addresses however there appears to be an exemption for the VPN traffic so the NAT is not being applied.

Does anyone know if what I ask is possible and how to go about Natting the incoming VPN traffic?  I was using ASDM to configure the rule.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The printer would need to be able to listen on a second IP address and or port. I doubt that it can. However, with Windows you can setup multiple printers that go to the same physical print device. You create a new printer/print queue, tell it to go to the same printer port, and change the print settings as needed for the other types of documents. We do this all the time with color copiers where we have one shared printer that is color, another that is black and white, and they go to the same device.
ffleismaSenior Network EngineerCommented:
Are you using ASA on both sites? And which of ASA are you running (older than 8.3/8.3 and above)?

be glad to show you how the NATing over the VPN will be done via ASDM once I get a picture of which device you are using (for remote site and local site) and which software version, since NATing on the ASA will be different for pre 8.3 and 8.3 above.
YMartinAuthor Commented:
I only have direct access to the ASA at the site with the printer which is running ASDM 5.2.

On windows server I would be limited to the number of NICs on the server.  While I may be able to set this up using windows as a proxy the ASA would be more ideal.

The ASA should upon receiving a packet off the VPN destined for .50 change the destination to .51.  If the reply packets going back out the VPN from the printer should also come from .50 not .51

I could SSH onto the ASA if needed however I usually work with ASDM for NAT/ACL

Remember there will be legitimate traffic going to .51 as well which should not be affected by the NAT.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

I still believe that the ASA is the wrong place to try to do this. If the server and physical print device were on the same LAN how would we do this? I say the answer is multiple logical printers using the same port, unless I am totally misunderstanding the goal.

YMartinAuthor Commented:
Thanks for the help so far.

The printers are printed to based on IP address not printer share name.  I am not saying that it would not work however there are quite a few other factors which come into play using Windows Server which is why I was leaning towards the ASA solution.  

The software (out of my control) is printing to the IP directly.  Using Windows server I believe I would need to either ensure that the print server role is answering correctly on the IP of one of the server nics and I would be limited to the NICs on the server.  If the software printed to shared printers on the server there would be no issue however we are told IP address is the only option so my options are to provide them 2 ip addresses and manage NAT on my end or get 2 printers.  They must have 2 ip addresses for the 2 types of documents they are printing.  

They are loading the printer driver into their system and printing directly to the printer.
Okay, that sucks. The idea is to make one physical print device look like more than one printer to your software, correct?  The only way to do that is if the network on the interface on the print device can support some sort of multiple personalities be either listening on multiple ports, use multiple IP addresses, or use multiple queue names. The ASA can't make a single IP address/port look like two IP address/port pairs. It just can't, not connecting to the same device on the other side of that NAT.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YMartinAuthor Commented:
Could the ASA listen for inbound traffic to off the VPN and translate all packets over to and possibly change the source IP to something else and then a 2nd rule to listen for packets sent to the altered source IP (ASA IP?) and NAT it back to the original sender and change the source IP back to

That is kind of what I was thinking.  Based on my understanding of NAT this should be possible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.