NAT on ASA 8.4 - Static NAT with port translation

Imagine when you have dmz zone with multiple servers, each server runs a service and you have only one public IP address. Now you want to share that IP address to all services running in dmz zone. In this case, you should use the NAT rules use the same address but with different ports.

In above figure, single IP address used to share two services running on 2 separate servers in dmz zone. It requires that, when have a ftp connection to 113.22.14.3, the request will be directed to ftp server on 172.16.1.10, and when a ssh connection to the same public address, request will be redirected to ssh server on 172.16.1.15.

Configuration:

2 objects for servers in dmz zone:

ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15
object network FTP-SERVER
 host 172.16.1.10

 nat command for each object

ASA84(config)# show run nat
!
object network SSH-SERVER
 nat (dmz,outside) static 113.22.14.3 service tcp ssh ssh
object network FTP-SERVER
 nat (dmz,outside) static 113.22.14.3 service tcp ftp ftp

access list for particular connection

ASA84(config)# show run access-li
access-list ALLOW-INTERNET-DMZ extended permit tcp any object SSH-SERVER eq ssh
access-list ALLOW-INTERNET-DMZ extended permit tcp any object FTP-SERVER eq ftp

access-group to interface

ASA84(config)# show run access-group
access-group ALLOW-INTERNET-DMZ in interface outside
ASA84(config)#

Verifying:
SSH connection from INTERNET host to 113.22.14.3:

 FTP connection from INTERNET to 113.22.14.3:

You can see here: 227 Entering Passive Mode (172,16,1,10,288,222). Funny stuff, hah? ;-)