[c-nsp] ASA 5505 NAT and asymmetric routing

Matthew DeSantos mdesantos22 at yahoo.com
Mon Oct 8 15:50:36 EDT 2012


Thanks Ryan,
I'll give this a try, I had something like the below configured, but the rest of the communication broke. I completely forgot about the nonat ACL.


________________________________
 From: Ryan West <rwest at zyedge.com>
To: Matthew DeSantos <mdesantos22 at yahoo.com>; "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net> 
Sent: Monday, October 8, 2012 2:17 PM
Subject: RE: [c-nsp] ASA 5505 NAT and asymmetric routing
 
On Mon, Oct 08, 2012 at 13:36:57, Matthew DeSantos wrote:
> Subject: [c-nsp] ASA 5505 NAT and asymmetric routing
> 
> All,
> 
> Hopefully I can explain this correctly. I'm having an issue with 
> communication
> (telnet/ssh) from a public server to remote private nodes. The issue 
> is the return path, private IPs can't route via the INET. So, my 
> initial thought was to plug the servers into the ASA and give them 
> private IPs. However, these servers actively monitor our private IPs. 
> If I change the IP of the server(s) this will require a lot of manual 
> changes. The private nodes will need to be updated  to allow the new 
> private IP access. I'm thinking I need to configure static PAT or some 
> sort of NAT. This is where I'm stuck and don't fully understand how to implement. The setup is below:
> 
> Public Server(s) -[ROUTER]---ASA====tunnel=====ASA--[ROUTER] Private 
> IP (10.1.0.0/17)
> 

Not sure what version of code you're running, but assuming it's 8.2 or below, you can try this:

Static (inside,outside) tcp public_address 23 private_address 23
Static (inside,outside) tcp public_address 22 private_address 22

Then you just update your outside acl to allow those services through.  If you do a one to one translation for the public to private address, you'll need a no nat acl to fix your private communications.

-ryan


More information about the cisco-nsp mailing list