Improve company productivity with a Business Account.Sign Up

x
?
Solved

Firewall NAT ASA with 9.1

Posted on 2014-01-27
4
Medium Priority
?
4,639 Views
Last Modified: 2014-01-27
I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:


1)  To do a PAT to the outside, is it just

object network TEST123
 subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0


object-group network INTERNAL
network object obj TEST123
network object obj  TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp


3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>


Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www



Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....
0
Comment
Question by:gbotts
  • 2
4 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39813973
Yea.. I hate it too.  I still don't see the benefits of this.  If you use the gui its not really a big deal but command line gets to be a real pain.  The fact that the object is listed in two different places in the config drives me nuts.  So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples.  This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 2000 total points
ID: 39813975
For a one to one NAT I used the following command, this mapped the inside object "sw_sslvpn_inside" which was an "internal IP" to the outside object "OUTSIDE_172.16.25.253" which acted like a "public IP"
object network sw_sslvpn_inside
 nat (inside,outside) static OUTSIDE_172.16.25.253 service tcp https https

Open in new window

One 2 One NAT
For a strict inbound NAT meaning I did not have to map it to a specific outbound IP I used the following which mapped to the object "PROXMOX" which was an "internal IP" for the ports for VNC:
nat (outside,inside) source static any any destination static interface PROXMOX service VNC VNC no-proxy-arp

Open in new window

Inbound NAT
And finally for an outbound NAT to map my web server "Web_Server_Ubuntu" to show as my second WAN IP which was under object "second_wan" only for HTTP:
object network second_wan
        host 172.16.25.222
      nat (inside,outside) 7 source static Web_Server_Ubuntu second_wan service http http unidirectional

Open in new window

Outbound NAT to second WAN
Hope that helps a bit.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39814067
Thank you much for the points glad I helped.

Cheers, Alan
0
 
LVL 1

Author Comment

by:gbotts
ID: 39814068
I wanted to spread the points but somehow it only added to one... Very new to this thing..  Sorry guys....
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question