Cisco ASA NAT question

[regnez]

Let me preface with how little I actually know about Cisco PIX/ASA hardware and configuration, so I apologize if this is something simple or, on the other end of the spectrum, not possible.

Say I wanted to translate an internal address that machines were trying to hit -- 172.16.1.50 as an example -- into an external, public address of 12.200.242.26. That public address is NOT an address of mine, just a public IP of something available on the internet.

Is this something achievable with a Cisco ASA 5505 using NAT?

 

[spidey07]

No. That's a function of internet routing. If it's an address that isn't in your public address space there is no way for the traffic to reach you or the ASA.

 

[DnetMHZ]

Are you saying that you want your internal users who try to access 172.16.1.50 to be redirected to 12.200.242.26?

 

[Railgun]

If you want your hosts to hit 12.200....instead of 172.16....you can do it but you have to have the FW between that 172.16 subnet and the rest of your environment to put it simply. There are other ways so you don't have to do that, but it depends on what you want to do.

There are other routing considerations you have to take into account as well. Can you explain exactly what you want to do and how your environment is set up? Is this completely internal to your environment?

 

[RadiclDreamer]

No, you cannot route, therefore NAT something that is not your address to route.

 

[regnez]

Are you saying that you want your internal users who try to access 172.16.1.50 to be redirected to 12.200.242.26?

Right, I simply want that internal address to be redirected to the external one.

 

[regnez]

No, you cannot route, therefore NAT something that is not your address to route.

I'm not looking to use that address to cross the internet. My goal is simply to redirect folks trying to access 172.16.1.50 to a separate address.

 

[regnez]

No. That's a function of internet routing. If it's an address that isn't in your public address space there is no way for the traffic to reach you or the ASA.

I am not looking to cross the internet with an address that is not mine, nor am I looking to assign that address to my ASA. I simply want the requested internal address to be redirected to the external one.

 

[spidey07]

I am not looking to cross the internet with an address that is not mine, nor am I looking to assign that address to my ASA. I simply want the requested internal address to be redirected to the external one.

Then you'll need a web server, proxy server or load balancer to do the HTTP redirection.

 

[Railgun]

So if it truely is an external address, then why not just have the users hit that address?

Otherwise, yes you CAN do it. It's not pretty though...

Create a static route in your environment for the 172 host that points to that FW. You NAT the destination address to that public then it goes out towards your internet connection. The FW will have a route for that public pointing to wherever your current default route may go (depending on your network).

If it's as simple as making one destination address really go to another address, we have several environments that do the same thing today. Like I said, it's not the prettiest setup, but it works just fine.

The ASA can route. You just need to set it up that way.

 

[Emulex]

why not just use dns?