[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 8.4 help with statically assigning IPs

Posted on 2011-04-20
5
Medium Priority
?
834 Views
Last Modified: 2012-05-11
We are upgrading from an older PIX to an ASA 5520 running 8.4.1.  I’m finding out that the commands in the 8.3 versions and later of the O.S. are quite a bit different from what I’m used to.

One of the areas that is giving me problems is the lack of a “static” command that was used prior to 8.3.

As an example, in older versions if I wanted to allow FTP traffic from the Internet to an FTP server in our DMZ I would use the following:

access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp
static (dmz,outside) 98.137.149.56 10.10.73.20 netmask 255.255.255.255

I can’t figure out how to do the same thing in 8.4 without the static command.  What commands do I use to statically map or assign an outside address to an IP in our DMZ?

Thanks for the help!
0
Comment
Question by:steno1122
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35432898
Indeed things have changed as of 8.3
I found this particular document very helpfull, I don't leave home without it ;)
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 

Author Comment

by:steno1122
ID: 35436031
Thanks erniebeek for the link. I do have one more question for you or anyone else that can answer.  Are the nat statements in 8.3 and higher bidirectional or unidirectional?  In my original post I asked how to statically nat an external IP to an address in our DMZ for an FTP server.  In this case the FTP server accepts FTP connections from the Internet but it also does FTP polling (establishes FTP connections outbound to customer servers).  That being the case, the nat entry or entries need to be bidirectional so inbound connections nat to the DMZ IP and outbound connections nat to the external IP.  Below are two examples using information from erniebeeks link.  Do both of these examples do the same thing assuming the nat is bidirectional or do I need both object network entries along with the ACL?


access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp

object network obj-10.10.73.20
host 10.10.73.20
nat (DMZ,outside) static 98.137.149.56

and / or

object network obj-98.137.149.56
host 98.137.149.56
nat (outside,DMZ) static 10.10.73.20


In a nutshell, do I need both of the entries above or just one?  Does both object network entries do the same thing?

Thanks for the help.  Much appreciated!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35440182
You just need the first and yes, it is bidirectional.

It would be interesting to see what the second set does :)
it would be something like: static (outside,DMZ) 10.10.73.20 98.137.149.56 netmask 255.255.255.255
As you can see, that is not going to work.
0
 

Author Comment

by:steno1122
ID: 35445386
erniebeek, thanks again for the reply.  I have one final question.  Does the ACL reference the inside IP or the external IP?

Would this ACL be correct?

access-list outside_in extended permit tcp any host 98.137.149.56 eq ftp

Or is this one correct?

access-list outside_in extended permit tcp any host 10.10.73.20 eq ftp

object network obj-10.10.73.20
host 10.10.73.20
nat (DMZ,outside) static 98.137.149.56


Thanks again.  You are a huge help!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35446776
You're welcome :)

In the 'old' manner the ACL referenced the public IP, in the new manner you use the private IP. So in this case access-list outside_in extended permit tcp any host 10.10.73.20 eq ftp is the ACL entry you need to use.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question