Solved

Enable PAT ASA 5505

Posted on 2011-02-27
9
519 Views
Last Modified: 2012-05-11
Hi,

Using ASA Version 8.0(2)

this device is mostly configured using the asdm.

We have about 5 IP's from the ISP. We use NAT overload for users to access internet.

And the rest 4 IP's are being 1-to-1 NAT.

Under NAT rules I have the static statements and a dynamic from any (internal) to outside.

Because of IP limitation we would like to port forward on the USERS IP to one of the internal servers on a specific port.

Please assist in setting up the ACL and the NAT rule for that.
Thanks
0
Comment
Question by:masdf123
  • 4
  • 3
9 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34992004
Please post the current config here as well as information about exact which ip/port to forward to/from.

/Kvistofta
0
 
LVL 1

Author Comment

by:masdf123
ID: 34993552
My Configuration is something like this:

name 192.168.1.5 PBX
name 192.168.1.4 DC2


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.234 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3

interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2


access-list outside_in extended permit tcp any host 1.1.1.235 eq 3389
access-list outside_in extended permit tcp host 58.64.84.5 host 1.1.1.235 eq 25
access-list outside_in extended permit tcp any host 1.1.1.236 eq 30
access-list B2B extended permit ip 192.168.1.0 255.255.255.0 host PBX
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.254.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.236 PBX netmask 255.255.255.255
static (inside,outside) 1.1.1.235 DC2 netmask 255.255.255.255 dns
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.233 1

So all internet traffic for users is going through 1.1.1.234

Rest DC2 and PBX are static NAT.

So basically if I want to enable PAT on 1.1.1.234 going to 192.168.1.60  on port 123
Thanks


0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34994678
ok.

static (inside,outside) tcp interface 123 192.168.1.60 123
clear xlat

Best regards
Kvistofta
0
 
LVL 1

Author Comment

by:masdf123
ID: 34994682
Thanks,

What does clear xlat mean?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 34994715
It removes all existing address translation. It needs to be done sometimes when you change the address translations in order to have a "fresh" start.

/Kvistofta
0
 
LVL 1

Author Comment

by:masdf123
ID: 34994906
You mean the NAT translations table?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34995671
Yes.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35321837
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco router recommendation for a 1 gig internet connection 11 48
Tagging ports on a managed switch 6 53
ACL Logging Optimization 7 30
2 Gateways (bandwidth) - One domain 7 54
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now