[c-nsp] ASA 5505 NAT and asymmetric routing
Matthew DeSantos
mdesantos22 at yahoo.com
Mon Oct 8 15:50:36 EDT 2012
Thanks Ryan,
I'll give this a try, I had something like the below configured, but the rest of the communication broke. I completely forgot about the nonat ACL.
________________________________
From: Ryan West <rwest at zyedge.com>
To: Matthew DeSantos <mdesantos22 at yahoo.com>; "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Monday, October 8, 2012 2:17 PM
Subject: RE: [c-nsp] ASA 5505 NAT and asymmetric routing
On Mon, Oct 08, 2012 at 13:36:57, Matthew DeSantos wrote:
> Subject: [c-nsp] ASA 5505 NAT and asymmetric routing
>
> All,
>
> Hopefully I can explain this correctly. I'm having an issue with
> communication
> (telnet/ssh) from a public server to remote private nodes. The issue
> is the return path, private IPs can't route via the INET. So, my
> initial thought was to plug the servers into the ASA and give them
> private IPs. However, these servers actively monitor our private IPs.
> If I change the IP of the server(s) this will require a lot of manual
> changes. The private nodes will need to be updated to allow the new
> private IP access. I'm thinking I need to configure static PAT or some
> sort of NAT. This is where I'm stuck and don't fully understand how to implement. The setup is below:
>
> Public Server(s) -[ROUTER]---ASA====tunnel=====ASA--[ROUTER] Private
> IP (10.1.0.0/17)
>
Not sure what version of code you're running, but assuming it's 8.2 or below, you can try this:
Static (inside,outside) tcp public_address 23 private_address 23
Static (inside,outside) tcp public_address 22 private_address 22
Then you just update your outside acl to allow those services through. If you do a one to one translation for the public to private address, you'll need a no nat acl to fix your private communications.
-ryan
More information about the cisco-nsp
mailing list