Link to home
Create AccountLog in
Avatar of rperault
rperault

asked on

Creating NAT and Access Rules Cisco ASA

I must be doing something wrong here. I have an Application called Reliweb which need to access a Server using port 2837. What I am looking for is a NAT and Access rule for this.

I ahve done this many times before but for some strange reason I can not get it to Connect. I have created thr NAT and Service Object for the Port and the Access rule. But when I test it through the Application and through TELNET I cannot connect

I need to connect throught the OUTSIDE Interface for Giggles 173.0.0.11
translated to INSIDE Private IP 10.8.1.76 using port 2837
I am using ADSM to connect to my Firewall so I have created them Manually and through the CLI. If someone could give me the CLI Command lines that would be great. I nedd to get this working.

THANKS
ASKER CERTIFIED SOLUTION
Avatar of jlindler
jlindler

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of rperault
rperault

ASKER

Thanks, I just found out I couldn't get anything to work

Conflicts with Existing Statics Therefore I can not create NAT's as it will not allow me to.

Anything you can think of to get me around this, or do I need more IP's. I tried all the IP's That I have. Checked all my NAT's and they are all being used for other protocals

Result of the command: "static (inside,outside) tcp 173.0.0.11 2837 10.8.1.76 2837 netmask 255.255.255.255"

ERROR: mapped-address conflict with existing static
  inside:10.8.2.1 to outside:173.0.0.11 netmask 255.255.255.255


Result of the command: "static (inside,outside) 173.0.0.11 10.8.1.76 netmask 255.255.255.255"

ERROR: mapped-address conflict with existing static
  inside:10.8.2.1 to outside:173.0.0.11 netmask 255.255.255.255
You can use Port Address Translation to "share" your external IP's among hosts:

For example:
static (inside,outside) tcp 173.0.0.11 2837 10.8.1.76 2837 netmask 255.255.255.255
static (inside,outside) tcp 173.0.0.11 80 10.8.1.55 80 netmask 255.255.255.255

Both machines are utilizing the 173.0.0.11 external IP but with different ports, and the PIX is using PAT to send traffic to the appropriate server.  This should work fine for multiple servers as long as they do not need to use the same external port!!
BTW, you will need to delete the static NAT mapping (one-to-one) for the external address you are working with before you add the PAT ones or you will receive the warning you saw above.   Note - a NAT mapping for a giving IP will "override" the PAT mapping.
My Problem is that all my IPs are NAT'd to Different Servers. and one is for the DMZ. I can't NAT the Same External IP to two Different Interal IPs can I?
Yep!  PAT will allow you to map an IP and port combination to server instead of dedicating the entire IP address in a one-to-one manner.   The only hang up is if both servers need to have clients accessing the same external IP/port combination.   For example, I could have a web server (TCP port 80), a RDP server (TCP port 3389), and a NTP server (UDP port 123) - all different boxes with different internal addresses offering services on different ports - mapped to one external IP.  

Example Servers:
Web - 10.0.0.1
RDP - 10.0.0.2
NTP - 10.0.0.8

External IP:
55.55.55.55

Comand Line:
static (inside,outside) tcp 55.55.55.55 80 10.0.0.1 80 netmask 255.255.255.255
static (inside,outside) tcp 55.55.55.55 3389 10.0.0.2 3389 netmask 255.255.255.255
static (inside,outside) udp 5.55.55.55 123 10.0.0.8 123 netmask 255.255.255.255
In order to remove the old one to one static, you should determine what ports are currently used by 10.8.2.1. Lets assume it is a mail server with port 25 open inbound. Off hours, perform this:
no static (inside,outside) 173.0.0.11 10.8.2.1 netmask 255.255.255.255
static (inside,outside) 173.0.0.11 25 10.8.2.1 25 netmask 255.255.255.255
static (inside,outside) 173.0.0.11 2837 10.8.1.76 2837 netmask 255.255.255.255

And then of course you have an access rule as jlindler first suggested.
Thanks