We help IT Professionals succeed at work.

ASA 8.4 help with statically assigning IPs

steno1122
steno1122 asked
on
Medium Priority
845 Views
Last Modified: 2012-05-11
We are upgrading from an older PIX to an ASA 5520 running 8.4.1.  I’m finding out that the commands in the 8.3 versions and later of the O.S. are quite a bit different from what I’m used to.

One of the areas that is giving me problems is the lack of a “static” command that was used prior to 8.3.

As an example, in older versions if I wanted to allow FTP traffic from the Internet to an FTP server in our DMZ I would use the following:

access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp
static (dmz,outside) 98.137.149.56 10.10.73.20 netmask 255.255.255.255

I can’t figure out how to do the same thing in 8.4 without the static command.  What commands do I use to statically map or assign an outside address to an IP in our DMZ?

Thanks for the help!
Comment
Watch Question

Senior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks erniebeek for the link. I do have one more question for you or anyone else that can answer.  Are the nat statements in 8.3 and higher bidirectional or unidirectional?  In my original post I asked how to statically nat an external IP to an address in our DMZ for an FTP server.  In this case the FTP server accepts FTP connections from the Internet but it also does FTP polling (establishes FTP connections outbound to customer servers).  That being the case, the nat entry or entries need to be bidirectional so inbound connections nat to the DMZ IP and outbound connections nat to the external IP.  Below are two examples using information from erniebeeks link.  Do both of these examples do the same thing assuming the nat is bidirectional or do I need both object network entries along with the ACL?


access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp

object network obj-10.10.73.20
host 10.10.73.20
nat (DMZ,outside) static 98.137.149.56

and / or

object network obj-98.137.149.56
host 98.137.149.56
nat (outside,DMZ) static 10.10.73.20


In a nutshell, do I need both of the entries above or just one?  Does both object network entries do the same thing?

Thanks for the help.  Much appreciated!
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
You just need the first and yes, it is bidirectional.

It would be interesting to see what the second set does :)
it would be something like: static (outside,DMZ) 10.10.73.20 98.137.149.56 netmask 255.255.255.255
As you can see, that is not going to work.

Author

Commented:
erniebeek, thanks again for the reply.  I have one final question.  Does the ACL reference the inside IP or the external IP?

Would this ACL be correct?

access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp

Or is this one correct?

access-list outside_in extended permit tcp any host 10.10.73.20 eq ftp

object network obj-10.10.73.20
host 10.10.73.20
nat (DMZ,outside) static 98.137.149.56


Thanks again.  You are a huge help!
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
You're welcome :)

In the 'old' manner the ACL referenced the public IP, in the new manner you use the private IP. So in this case access-list outside_in extended permit tcp any host 10.10.73.20 eq ftp is the ACL entry you need to use.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.