Solved

Firewall NAT ASA with 9.1

Posted on 2014-01-27
4
4,095 Views
Last Modified: 2014-01-27
I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:


1)  To do a PAT to the outside, is it just

object network TEST123
 subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0


object-group network INTERNAL
network object obj TEST123
network object obj  TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp


3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>


Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www



Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....
0
Comment
Question by:gbotts
  • 2
4 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 39813973
Yea.. I hate it too.  I still don't see the benefits of this.  If you use the gui its not really a big deal but command line gets to be a real pain.  The fact that the object is listed in two different places in the config drives me nuts.  So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples.  This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 500 total points
ID: 39813975
For a one to one NAT I used the following command, this mapped the inside object "sw_sslvpn_inside" which was an "internal IP" to the outside object "OUTSIDE_172.16.25.253" which acted like a "public IP"
object network sw_sslvpn_inside
 nat (inside,outside) static OUTSIDE_172.16.25.253 service tcp https https

Open in new window

One 2 One NAT
For a strict inbound NAT meaning I did not have to map it to a specific outbound IP I used the following which mapped to the object "PROXMOX" which was an "internal IP" for the ports for VNC:
nat (outside,inside) source static any any destination static interface PROXMOX service VNC VNC no-proxy-arp

Open in new window

Inbound NAT
And finally for an outbound NAT to map my web server "Web_Server_Ubuntu" to show as my second WAN IP which was under object "second_wan" only for HTTP:
object network second_wan
        host 172.16.25.222
      nat (inside,outside) 7 source static Web_Server_Ubuntu second_wan service http http unidirectional

Open in new window

Outbound NAT to second WAN
Hope that helps a bit.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39814067
Thank you much for the points glad I helped.

Cheers, Alan
0
 
LVL 1

Author Comment

by:gbotts
ID: 39814068
I wanted to spread the points but somehow it only added to one... Very new to this thing..  Sorry guys....
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question