• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Enable PAT ASA 5505

Hi,

Using ASA Version 8.0(2)

this device is mostly configured using the asdm.

We have about 5 IP's from the ISP. We use NAT overload for users to access internet.

And the rest 4 IP's are being 1-to-1 NAT.

Under NAT rules I have the static statements and a dynamic from any (internal) to outside.

Because of IP limitation we would like to port forward on the USERS IP to one of the internal servers on a specific port.

Please assist in setting up the ACL and the NAT rule for that.
Thanks
0
masdf123
Asked:
masdf123
  • 4
  • 3
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Please post the current config here as well as information about exact which ip/port to forward to/from.

/Kvistofta
0
 
masdf123Author Commented:
My Configuration is something like this:

name 192.168.1.5 PBX
name 192.168.1.4 DC2


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.234 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3

interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2


access-list outside_in extended permit tcp any host 1.1.1.235 eq 3389
access-list outside_in extended permit tcp host 58.64.84.5 host 1.1.1.235 eq 25
access-list outside_in extended permit tcp any host 1.1.1.236 eq 30
access-list B2B extended permit ip 192.168.1.0 255.255.255.0 host PBX
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.254.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.236 PBX netmask 255.255.255.255
static (inside,outside) 1.1.1.235 DC2 netmask 255.255.255.255 dns
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.233 1

So all internet traffic for users is going through 1.1.1.234

Rest DC2 and PBX are static NAT.

So basically if I want to enable PAT on 1.1.1.234 going to 192.168.1.60  on port 123
Thanks


0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ok.

static (inside,outside) tcp interface 123 192.168.1.60 123
clear xlat

Best regards
Kvistofta
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
masdf123Author Commented:
Thanks,

What does clear xlat mean?
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
It removes all existing address translation. It needs to be done sometimes when you change the address translations in order to have a "fresh" start.

/Kvistofta
0
 
masdf123Author Commented:
You mean the NAT translations table?
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Yes.
0
 
QlemoDeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now