Re: Representing internal server with 2 different Public IP

see if this helps, i have used this in production. in a different manner, i instead wanted to publish the same service on the same server on two different ports, but the idea is the same and same caveats.

mine was
static (inside,outside) o.o.o.o:2222 i.i.i.i:registered port
static (inside,outside) o.o.o.o i.i.i.i
because the old application was using a registered port and over time more and more security folks on the subscriber side didnt like that. but we needed to publish on both ports till all customers could update their firewalls and applications to use the new port. requirement: application was too old to change.

static (inside,outside) tcp 88.x.x.49 smtp 192.168.0.55 smtp netmask 255.255.255.255
static (inside,outside) 88.x.x.51 192.168.0.55 netmask 255.255.255.255
!you'll get below warning
WARNING: real-address conflict with existing static
  TCP inside:192.168.0.55/25 to outside:88.x.x.49/25 netmask 255.255.255.255

here are the caveats:
no translation entries for the real address can exist before you do this and you have to enter the commands in that order. (so "no" out anything with 192.168.0.55) Which also means if you ever need to change anything you have to remove those commands, which will break all traffic to/from that host. This may or may not be acceptable in your environment.
Also, only outside initiated connections will work to both ip addresses, you will only ever show up as the first address when the server initiates traffic outbound as its the first rule that will always be hit.
This does not scale... with more than 2 rules. any additional enteris of the same type (static ip or static port) to your innternal host will give the errors you are receiving. basically you can only overload once.

i did paste the config (with different ports AND addresses) into an asa and it did take, but i did not test with traffic.
my version has worked since at least 6.2 code, and definitely on 7 and 8.1 code.

regards,

________________________________
From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
To: Tyson Scott <tscott_at_ipexpert.com>
Cc: Jack Router <pan.router_at_gmail.com>; Cisco certification <ccielab_at_groupstudy.com>
Sent: Wed, April 28, 2010 11:22:08 AM
Subject: Re: Representing internal server with 2 different Public IP

It should not be impossible to do it... as far as only incoming
connections to the port are being natted. Isn't that what extensible is
for ?

-Carlos

Tyson Scott @ 28/04/2010 12:12 -0300 dixit:
> As what you are trying to do on the firewall is impossible move the
> requirement back to the server. Configure a second IP on the NIC. Search
> Google for how to do this based on the operating system the server is
> running. Both Linux and Windows support this feature.
>
> Next time put OT: <followed by subject> in the subject field. That is the
> courtesy requirement of group study. This is not related to the CCIE exam.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jack
> Router
> Sent: Wednesday, April 28, 2010 10:27 AM
> To: 'Cisco certification'
> Subject: RE: Representing internal server with 2 different Public IP
>
> Still curious why you want to do this...
> What about configuring the server with two internal IPs and then redirect
> with two different rules on the firewall ?
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> imran mohammed
> Sent: 28-Apr-10 09:36
> To: Cisco certification
> Subject: Re: Representing internal server with 2 different Public IP
>
> Hi,
>
> The requirement is I need to represent internal server with 2 different
> public ip.
>
> Example
>
> When I hit the firewall 10.1.1.1 on outside it should redirect to 20.1.1.1
> (internal server)
> If I hit with 30.1.1.1 on outside it should redirect to same ip 20.1.1.1
> (internal server)
>
>
> Regards
> Imran
>
> On Wed, Apr 28, 2010 at 5:02 PM, imran mohammed
> <imran4cisco_at_gmail.com>wrote:
>
>> Hi All,
>>
>>
>> Is there any way we can represent internal server with 2 public Ip
> address.
>> static (inside,outside) tcp 88.x.x.49 smtp 192.168.0.55 smtp
>> static (inside,outside) tcp 88.x.x.51 smtp 192.168.0.55 smtp
>>
>> The above command doesnt work.I know it doesnt make sense but that is the
>> requirement.
>>
>> I tried this as well doesnt work
>> static (inside,outside) tcp 88.x.x.49 smtp 192.168.0.55 smtp
>> static (inside,outside) tcp 88.x.x.51 2043 192.168.0.55 smtp
>>
>> Is there anyway to do this.
>>
>> Regards
>> Imran
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net