[c-nsp] Possible to make NAT decisions based on source address, on ASA?

Peter Rathlev peter at rathlev.dk
Fri May 18 04:36:10 EDT 2012


On Thu, 2012-05-17 at 22:42 -0400, Andy Dills wrote:
> On Thu, 17 May 2012, Peter Rathlev wrote:
> > No problem. Take a look at "Configuring Dynamic NAT or Dynamic PAT":
...
> Yeah, I had looked at that, and it's not quite what I'm trying to 
> accomplish.
> 
> What I want is to take a single public IP and NAT it to two seperate 
> private IPs, based on source address of the incoming request.

Ah, so 10.0.0.100 and 10.0.0.200 are two different servers, and you want
requests from "outside" to hit one or the other based on the source
address of the remote clients, right?

AFAIK that's not possible, at least not using 8.2 and earlier. You can
translate the same inside address to two different outside addresses
depending on destination, but that doesn't help much. If the services
were using two different ports you could also direct requests to two
different servers, though you could still not translate based on source
address.

Maybe 8.3 and later can do it. I haven't looked at those yet but the NAT
translations have changed syntax and might now be more flexible.

Linux with iptables could do it of course. :-)

-- 
Peter




More information about the cisco-nsp mailing list