?
Solved

Cisco ASA 5505: How to set up NAT/PAT rules from scratch?

Posted on 2012-03-11
8
Medium Priority
?
2,086 Views
Last Modified: 2012-03-22
Hi experts,

I need some help again with Cisco ASA (still need to read this 1200 page book entirely...)

I'm setting up a server (on LAN) for some services, and these services need to be accessible from the outside world.

As for the Cisco ASA 5505: Let's assume here that the outside interface has IP address 81.82.83.84 and the inside address is 192.168.1.1. The server has IP address 192.168.1.5

What commands do I exactly need to set this up? My Cisco command-line knowledge is basic. I also would like to know how you do this in ASDM (GUI), so I can compare these two.

Thanks for your feedback!
0
Comment
Question by:Mac2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:SuperTaco
ID: 37707750
it's much easier to do using the ASDM, although it is possible to do it CLI.

Here's a link to the ADSM guide.  Just a couple of screen shots.  You will also have to open the ports to the server using the ACL interface (underNAT Rules in ASDM)

http://www.howtocisco.com/cisco/asanat1.htm

-as for CLI, I like to create service groups for each server so the first step is:

conf t

object-group service Exchange tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp

(or you can use ports number i.e.-80,440, etc)

-Then create and ACL using your group name (it's just eaiser if you need ot modify the object later)

access-list outside_access_in extended permit tcp any host 81.82.82.84 object-group Exchange

-then create the NAT rule

static (inside,outside) tcp 81.82.83.83 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 81.82.83.84 smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp 81.82.83.84 pop3 192.168.1.5 pop3 netmask 255.255.255.255
static (inside,outside) tcp 81.82.83.84 imap4 192.168.1.5 imap4 netmask 255.255.255.255
static (inside,outside) tcp 81.82.82.84 www 192.168.1.5 www netmask 255.255.255.255


Here's a good example for RDP that I use as a reference alot.  it has bot CLI and ASDM

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37707847
Thanks for your suggestions. I'll test those (on my test ASA) tomorrow - it's late over here. I already tried (via ASDM) suggestions in the second URL you posted. Is using the outside-IP number always needed? This instead of selecting "outside" as interface?
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 37708412
Agree with super taco, but don't forget the command below,

access-group outside_access_in in interface outside
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 57

Expert Comment

by:Pete Long
ID: 37708944
You are simply doing "Port forwarding" or Static PAT

Cisco PIX / ASA Port Forwarding

Pete
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37710075
Thanks again for the feedback!

@PeteLong
I'm going to test the suggestions on your website. I have a question about what I read at this point:

http://www.petenetlive.com/KB/Article/0000077.htm#n83
5. Then create a NAT translation for the port to be forwarded. then you can exit the network object prompt.

What do you write here if you need to forward a port/service that is not predefined? For instance I need to forward "AFP" (Apple Filing Protocol) to the server on TCP port 548 .

The server is a mail server that also has a webinterface. The ASA is version 8.4(1) with ASDM 6.4(1). Do you also have screen shots for this ASDM version?
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37711610
@SuperTaco

The commands you suggest, work (get accepted) until this point:
static (inside,outside) tcp 81.82.83.83 https 192.168.1.5 https netmask 255.255.255.255
When I type it, even copy/paste (with the correct IP numbers), I get this error-message:
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
What could be going wrong here?
0
 
LVL 8

Accepted Solution

by:
Mac2010 earned 0 total points
ID: 37716835
... allo ... allo ...

anyone listening?
0
 
LVL 8

Author Closing Comment

by:Mac2010
ID: 37751596
I appreciate the feedback. Unfortunately it didn't help me out...
Cisco Support (TAC) eventually did.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question