The musings of an IT Consultant

Apr 28 2009   4:15PM GMT

Overlapping Static NAT and Cisco ASA Firewalls

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, I just wanted to discuss a key difference in some firewalls. One of the things you might find yourself doing, especially in a hosting scenario is creating static NAT entries. The entries are a one-to-one relationship between an external public IP address and an internal private IP address on your local or dmz network.

In some firewalls you can assign multiple public IP addresses to your external interface and in some firewalls you can’t. For the ones that you can, you can easily create multiple static NAT entries for the same internal IP. So one local IP address, but multiple public IP addresses on the same port. For example a web server that listens on port 80 for multiple public IPs.

But for firewalls that don’t bind the IP to the external interface such as the Cisco ASA, you cannot do this. If you try and do this you will get a static overlapping NAT error. How do you fix this?

You have to assign multiple internal IP addresses to your internal web server as well and then map each internal IP to an external IP. This will fix your problem!

-Cheers, RP

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: