Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 8.3 PAT issue

Posted on 2011-02-26
6
Medium Priority
?
912 Views
Last Modified: 2012-05-11
Hello,

I am still trying to understand IOS 8.3.  Here is the information on my test network

Outside: 10.0.0.1
Inside: 192.168.10.x

I have an Exchange server at 192.168.10.25.  I want to translate access from the outside -> in from ports 80, 25, 443 to go to: 192.168.10.25.  I have the port-object setup and the ACL.

object network inside-nat
 subnet 192.168.10.0 255.255.255.0
object-group service exchange_server_ports tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group network exchange_server
 network-object host 192.168.10.25
access-list SPLIT standard permit 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list outside_access_in remark ***For Exchange***
access-list outside_access_in extended permit tcp any object-group exchange_server object-group exchange_server_ports
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Public 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network inside-nat
 nat (inside,outside) dynamic interface

Thanks
0
Comment
Question by:mahrens007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 1

Accepted Solution

by:
orbistechnology earned 1000 total points
ID: 34988188
Hello!

The 8.3 shift in NAT design is quite dramatic.  I found this video which explains rather concisely how the new NAT paradigm works.

http://www.youtube.com/watch?v=R6TMlH9U2pE

In short, in your object-group "exchange_server" you would put a nat statement which would then setup autonat.

I'm rather new to 8.3+ as well, so I don't want to give you a wrong answer.  I think the video should get you going.

Brandon
0
 
LVL 6

Author Comment

by:mahrens007
ID: 34988534
I have watched that video but they don't translate 2 ports to a single IP address.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 34988828
This is from my working config:

access-list outside_access_in extended permit tcp any host 192.168.122.135 eq www
access-list outside_access_in extended permit tcp any host 192.168.122.135 eq smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network 192.168.122.135
 nat (any,outside) static interface service tcp www www
object network 192.168.122.135
 nat (any,outside) static interface service tcp smtp smtp

Notice that the Access-list references the Private (real) IP and not the public...
Only difference is that I did not use the object groups in the acl.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 6

Author Comment

by:mahrens007
ID: 34991447
How would I apply this to a certain external IP address?
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34991934
You don't have to apply to external addresses in 8.3+ versions of the ASA software.  You create the nat - and I believe you can nat object group service types to your internal address.

In the access list, you permit the traffic and reference the inside address, not the outside as in previous ASA versions, or the PIX.

It is a complete shift in methodology - and not one that comes easily!

Why they complete deprecated the old system, I can't fathom.  They should at least let us use both conventions to get used to the new config.

0
 
LVL 6

Author Closing Comment

by:mahrens007
ID: 35025717
This didn't directly resolve my issue, but pointed me in the right direction.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question