Enable PAT ASA 5505

Hi,

Using ASA Version 8.0(2)

this device is mostly configured using the asdm.

We have about 5 IP's from the ISP. We use NAT overload for users to access internet.

And the rest 4 IP's are being 1-to-1 NAT.

Under NAT rules I have the static statements and a dynamic from any (internal) to outside.

Because of IP limitation we would like to port forward on the USERS IP to one of the internal servers on a specific port.

Please assist in setting up the ACL and the NAT rule for that.
Thanks
LVL 1
masdf123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Please post the current config here as well as information about exact which ip/port to forward to/from.

/Kvistofta
masdf123Author Commented:
My Configuration is something like this:

name 192.168.1.5 PBX
name 192.168.1.4 DC2


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.234 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3

interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2


access-list outside_in extended permit tcp any host 1.1.1.235 eq 3389
access-list outside_in extended permit tcp host 58.64.84.5 host 1.1.1.235 eq 25
access-list outside_in extended permit tcp any host 1.1.1.236 eq 30
access-list B2B extended permit ip 192.168.1.0 255.255.255.0 host PBX
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.254.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.236 PBX netmask 255.255.255.255
static (inside,outside) 1.1.1.235 DC2 netmask 255.255.255.255 dns
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.233 1

So all internet traffic for users is going through 1.1.1.234

Rest DC2 and PBX are static NAT.

So basically if I want to enable PAT on 1.1.1.234 going to 192.168.1.60  on port 123
Thanks


Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ok.

static (inside,outside) tcp interface 123 192.168.1.60 123
clear xlat

Best regards
Kvistofta

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

masdf123Author Commented:
Thanks,

What does clear xlat mean?
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
It removes all existing address translation. It needs to be done sometimes when you change the address translations in order to have a "fresh" start.

/Kvistofta
masdf123Author Commented:
You mean the NAT translations table?
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Yes.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.