4

This is regarding a Cisco ASA 5510 router. We have two ISPs with a block of IPv4 addresses from each. I would like to map a single server in the DMZ such that two public IPv4 addresses point to it. Like so:

ISP1 71.43.230.100 -> DMZ 10.0.1.100

ISP2 205.23.53.100 -> DMZ 10.0.1.100

How can I map two public IPv4 addresses to a single DMZ IPv4 address?

hertitu
  • 337
  • 1
  • 6
Chet
  • 143
  • 5
  • Also, you can add the two IPs to a server. It is called dual-stacking, and you can put both IPv4 and IPv6, which are the only two current IPs. They are separate protocols, but you could use a kludge like NAT64 to use a single IP. – Ron Maupin Oct 14 '16 at 18:40
  • That's what I originally said I didn't want to do. I want the server to have a single IP 10.0.1.100 but have two public IPs, from two different interfaces, route to it. – Chet Oct 14 '16 at 20:29
  • I think you are confused because `10.0.1.100` is not an IP (Internet Protocol), it is an IPv4 address. There are only two current IPs: IPv4 and IPv6. If you want two IPs assigned to a device, most modern devices support both IPv4 and IPv6, both of the current IPs at the same time on the same port. – Ron Maupin Oct 14 '16 at 20:32
  • I was using the term IP as shorthand for IPv4 address. I have updated the question. – Chet Oct 14 '16 at 20:38
  • This is an interesting question. What it asks - mapping several external IP addresses to a single internal one - is trivial to do on most routers but very difficult to even express in Cisco terms because the ASA documentation labels that process in the opposite direction, as mapping the internal IP address to an external one, which seems to exclude a priori having more than one external address. I'm curious what the answer will be. – Tilman Schmidt Oct 14 '16 at 20:59
  • 3
    Give the internal host two RFC1918 addresses, and map each public IPv4 address to each RFC1918 address. – Michael Hampton Oct 14 '16 at 23:57

1 Answers1

2

On ASA 8.3 or later:

object-group network myPublicIPs
 network-object host 198.51.100.1
 network-object host 203.0.113.2

object network myServer
 host 192.168.0.100
 nat (dmz,outside) static myPublicIPs

On ASA 8.2 and earlier:

The answer is "You can't, static NAT is 1-to-1".

As @MichaelHampton commented, the most obvious solution is to give the server 2 private IP addresses, and translate each one to a different public address.

Alternatively, if the 2 IP addresses are used with different L4 ports (e.g. one address is for SMTP and the other for HTTP) then you could use static port translation instead.

hertitu
  • 337
  • 1
  • 6