Solved

Firewall NAT ASA with 9.1

Posted on 2014-01-27
4
3,951 Views
Last Modified: 2014-01-27
I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:


1)  To do a PAT to the outside, is it just

object network TEST123
 subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0


object-group network INTERNAL
network object obj TEST123
network object obj  TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp


3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>


Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www



Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....
0
Comment
Question by:gbotts
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 39813973
Yea.. I hate it too.  I still don't see the benefits of this.  If you use the gui its not really a big deal but command line gets to be a real pain.  The fact that the object is listed in two different places in the config drives me nuts.  So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples.  This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 500 total points
ID: 39813975
For a one to one NAT I used the following command, this mapped the inside object "sw_sslvpn_inside" which was an "internal IP" to the outside object "OUTSIDE_172.16.25.253" which acted like a "public IP"
object network sw_sslvpn_inside
 nat (inside,outside) static OUTSIDE_172.16.25.253 service tcp https https

Open in new window

One 2 One NAT
For a strict inbound NAT meaning I did not have to map it to a specific outbound IP I used the following which mapped to the object "PROXMOX" which was an "internal IP" for the ports for VNC:
nat (outside,inside) source static any any destination static interface PROXMOX service VNC VNC no-proxy-arp

Open in new window

Inbound NAT
And finally for an outbound NAT to map my web server "Web_Server_Ubuntu" to show as my second WAN IP which was under object "second_wan" only for HTTP:
object network second_wan
        host 172.16.25.222
      nat (inside,outside) 7 source static Web_Server_Ubuntu second_wan service http http unidirectional

Open in new window

Outbound NAT to second WAN
Hope that helps a bit.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39814067
Thank you much for the points glad I helped.

Cheers, Alan
0
 
LVL 1

Author Comment

by:gbotts
ID: 39814068
I wanted to spread the points but somehow it only added to one... Very new to this thing..  Sorry guys....
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now