[c-nsp] ASA 5505 NAT and asymmetric routing
Ryan West
rwest at zyedge.com
Mon Oct 8 14:17:46 EDT 2012
On Mon, Oct 08, 2012 at 13:36:57, Matthew DeSantos wrote:
> Subject: [c-nsp] ASA 5505 NAT and asymmetric routing
>
> All,
>
> Hopefully I can explain this correctly. I'm having an issue with
> communication
> (telnet/ssh) from a public server to remote private nodes. The issue
> is the return path, private IPs can't route via the INET. So, my
> initial thought was to plug the servers into the ASA and give them
> private IPs. However, these servers actively monitor our private IPs.
> If I change the IP of the server(s) this will require a lot of manual
> changes. The private nodes will need to be updated to allow the new
> private IP access. I'm thinking I need to configure static PAT or some
> sort of NAT. This is where I'm stuck and don't fully understand how to implement. The setup is below:
>
> Public Server(s) -[ROUTER]---ASA====tunnel=====ASA--[ROUTER] Private
> IP (10.1.0.0/17)
>
Not sure what version of code you're running, but assuming it's 8.2 or below, you can try this:
Static (inside,outside) tcp public_address 23 private_address 23
Static (inside,outside) tcp public_address 22 private_address 22
Then you just update your outside acl to allow those services through. If you do a one to one translation for the public to private address, you'll need a no nat acl to fix your private communications.
-ryan
More information about the cisco-nsp
mailing list