Solved

Enable PAT ASA 5505

Posted on 2011-02-27
9
522 Views
Last Modified: 2012-05-11
Hi,

Using ASA Version 8.0(2)

this device is mostly configured using the asdm.

We have about 5 IP's from the ISP. We use NAT overload for users to access internet.

And the rest 4 IP's are being 1-to-1 NAT.

Under NAT rules I have the static statements and a dynamic from any (internal) to outside.

Because of IP limitation we would like to port forward on the USERS IP to one of the internal servers on a specific port.

Please assist in setting up the ACL and the NAT rule for that.
Thanks
0
Comment
Question by:masdf123
  • 4
  • 3
9 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34992004
Please post the current config here as well as information about exact which ip/port to forward to/from.

/Kvistofta
0
 
LVL 1

Author Comment

by:masdf123
ID: 34993552
My Configuration is something like this:

name 192.168.1.5 PBX
name 192.168.1.4 DC2


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.234 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3

interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2


access-list outside_in extended permit tcp any host 1.1.1.235 eq 3389
access-list outside_in extended permit tcp host 58.64.84.5 host 1.1.1.235 eq 25
access-list outside_in extended permit tcp any host 1.1.1.236 eq 30
access-list B2B extended permit ip 192.168.1.0 255.255.255.0 host PBX
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.254.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.236 PBX netmask 255.255.255.255
static (inside,outside) 1.1.1.235 DC2 netmask 255.255.255.255 dns
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.233 1

So all internet traffic for users is going through 1.1.1.234

Rest DC2 and PBX are static NAT.

So basically if I want to enable PAT on 1.1.1.234 going to 192.168.1.60  on port 123
Thanks


0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34994678
ok.

static (inside,outside) tcp interface 123 192.168.1.60 123
clear xlat

Best regards
Kvistofta
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:masdf123
ID: 34994682
Thanks,

What does clear xlat mean?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34994715
It removes all existing address translation. It needs to be done sometimes when you change the address translations in order to have a "fresh" start.

/Kvistofta
0
 
LVL 1

Author Comment

by:masdf123
ID: 34994906
You mean the NAT translations table?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34995671
Yes.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35321837
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 5508 controller parsing error 4 55
Punctured RAID5 Array on Cisco UCS server. 6 52
Cisco WAP POE power 28 71
Use of vpn-filter value  in S2S VPN 2 29
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now