Solved

Firewall NAT ASA with 9.1

Posted on 2014-01-27
4
4,004 Views
Last Modified: 2014-01-27
I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:


1)  To do a PAT to the outside, is it just

object network TEST123
 subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0


object-group network INTERNAL
network object obj TEST123
network object obj  TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp


3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>


Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www



Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....
0
Comment
Question by:gbotts
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 39813973
Yea.. I hate it too.  I still don't see the benefits of this.  If you use the gui its not really a big deal but command line gets to be a real pain.  The fact that the object is listed in two different places in the config drives me nuts.  So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples.  This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 500 total points
ID: 39813975
For a one to one NAT I used the following command, this mapped the inside object "sw_sslvpn_inside" which was an "internal IP" to the outside object "OUTSIDE_172.16.25.253" which acted like a "public IP"
object network sw_sslvpn_inside
 nat (inside,outside) static OUTSIDE_172.16.25.253 service tcp https https

Open in new window

One 2 One NAT
For a strict inbound NAT meaning I did not have to map it to a specific outbound IP I used the following which mapped to the object "PROXMOX" which was an "internal IP" for the ports for VNC:
nat (outside,inside) source static any any destination static interface PROXMOX service VNC VNC no-proxy-arp

Open in new window

Inbound NAT
And finally for an outbound NAT to map my web server "Web_Server_Ubuntu" to show as my second WAN IP which was under object "second_wan" only for HTTP:
object network second_wan
        host 172.16.25.222
      nat (inside,outside) 7 source static Web_Server_Ubuntu second_wan service http http unidirectional

Open in new window

Outbound NAT to second WAN
Hope that helps a bit.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39814067
Thank you much for the points glad I helped.

Cheers, Alan
0
 
LVL 1

Author Comment

by:gbotts
ID: 39814068
I wanted to spread the points but somehow it only added to one... Very new to this thing..  Sorry guys....
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
change password links 7 74
Viber-Only Restriction 6 27
2 Gateways (bandwidth) - One domain 7 56
EIGRP STUB 19 45
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now