Solved

Firewall NAT ASA with 9.1

Posted on 2014-01-27
4
4,039 Views
Last Modified: 2014-01-27
I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:


1)  To do a PAT to the outside, is it just

object network TEST123
 subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0


object-group network INTERNAL
network object obj TEST123
network object obj  TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp


3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>


Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www



Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....
0
Comment
Question by:gbotts
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 39813973
Yea.. I hate it too.  I still don't see the benefits of this.  If you use the gui its not really a big deal but command line gets to be a real pain.  The fact that the object is listed in two different places in the config drives me nuts.  So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples.  This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 500 total points
ID: 39813975
For a one to one NAT I used the following command, this mapped the inside object "sw_sslvpn_inside" which was an "internal IP" to the outside object "OUTSIDE_172.16.25.253" which acted like a "public IP"
object network sw_sslvpn_inside
 nat (inside,outside) static OUTSIDE_172.16.25.253 service tcp https https

Open in new window

One 2 One NAT
For a strict inbound NAT meaning I did not have to map it to a specific outbound IP I used the following which mapped to the object "PROXMOX" which was an "internal IP" for the ports for VNC:
nat (outside,inside) source static any any destination static interface PROXMOX service VNC VNC no-proxy-arp

Open in new window

Inbound NAT
And finally for an outbound NAT to map my web server "Web_Server_Ubuntu" to show as my second WAN IP which was under object "second_wan" only for HTTP:
object network second_wan
        host 172.16.25.222
      nat (inside,outside) 7 source static Web_Server_Ubuntu second_wan service http http unidirectional

Open in new window

Outbound NAT to second WAN
Hope that helps a bit.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39814067
Thank you much for the points glad I helped.

Cheers, Alan
0
 
LVL 1

Author Comment

by:gbotts
ID: 39814068
I wanted to spread the points but somehow it only added to one... Very new to this thing..  Sorry guys....
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now