jetli87
asked on
Cisco ASA post 8.3 NAT/PAT Examples
Hi gurus,
I'm going from Cisco ASA 8.2 to 9.2 and obviously the biggest change is NAT/PAT statements. I've gotten a decen understanding of it, but would like a better explanation with the given below example:
Server A = 192.168.1.10
Server B = 192.168.1.11
Server C = 192.168.1.12
Access-list = inbound
inside interface = LAN
outside interface = Public
1) NAT Server A with Public IP of 100.100.100.10
2) NAT Server B with Public IP of 100.100.100.11
3) NAT Server C with Public IP of 100.100.100.11
4) open Public ports 25 and 443 on 100.100.100.10 and map to Server B
5) open Public ports 80 and 443 on 100.100.100.11 and map to Server A
6) open Public ports 80 and 443 on 100.100.100.12 and remap to Server C on ports 8080 and 4443 respectively.
1) what's the
I'm going from Cisco ASA 8.2 to 9.2 and obviously the biggest change is NAT/PAT statements. I've gotten a decen understanding of it, but would like a better explanation with the given below example:
Server A = 192.168.1.10
Server B = 192.168.1.11
Server C = 192.168.1.12
Access-list = inbound
inside interface = LAN
outside interface = Public
1) NAT Server A with Public IP of 100.100.100.10
2) NAT Server B with Public IP of 100.100.100.11
3) NAT Server C with Public IP of 100.100.100.11
4) open Public ports 25 and 443 on 100.100.100.10 and map to Server B
5) open Public ports 80 and 443 on 100.100.100.11 and map to Server A
6) open Public ports 80 and 443 on 100.100.100.12 and remap to Server C on ports 8080 and 4443 respectively.
1) what's the
ASKER
thanks for the reply but it doesn't work as desired.
I basically need the following two things to happen:
(1) With ServerA @ 192.168.1.10, I need an outbound static NAT for 100.100.100.10, i.e. when the server makes an outbound connection, the source address is 100.100.100.10.
(2) For inbound, I need ports 80 & 443 on 100.100.100.11 to be mapped to ServerA @ 192.168.1.10.
Thus, ServerA outbound = 100.100.100.10, but inbound = 100.100.100.11.
Your above code achieves (1), but not (2), as inbound connections for 80 & 443 are mapped to 100.100.100.10, not 100.100.100.11.
I hope that makes sense.
I basically need the following two things to happen:
(1) With ServerA @ 192.168.1.10, I need an outbound static NAT for 100.100.100.10, i.e. when the server makes an outbound connection, the source address is 100.100.100.10.
(2) For inbound, I need ports 80 & 443 on 100.100.100.11 to be mapped to ServerA @ 192.168.1.10.
Thus, ServerA outbound = 100.100.100.10, but inbound = 100.100.100.11.
Your above code achieves (1), but not (2), as inbound connections for 80 & 443 are mapped to 100.100.100.10, not 100.100.100.11.
I hope that makes sense.
ASKER
Below is the pre 8.3 code that has worked for me:
access-list ServerA permit ip host 192.168.1.10 any
access-list ServerBC line 1 extended permit ip host 192.168.1.11 any
access-list ServerBC line 2 extended permit ip host 192.168.1.12 any
access-list inbound permit tcp any host 100.100.100.10 eq 25
access-list inbound permit tcp any host 100.100.100.10 eq 443
access-list inbound permit tcp any host 100.100.100.11 eq 80
access-list inbound permit tcp any host 100.100.100.11 eq 443
access-list inbound permit tcp any host 100.100.100.12 eq 80
access-list inbound permit tcp any host 100.100.100.12 eq 443
access-group inbound in interface outside
global (outside) 2 100.100.100.10
global (outside) 3 100.100.100.11
nat (inside) 2 access-list ServerA
nat (inside) 3 access-list ServerBC
static (inside,outside) tcp 100.100.100.10 25 192.168.1.11 25 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.10 443 192.168.1.11 443 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.11 80 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.11 25 192.168.1.10 443 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.12 80 192.168.1.12 8080 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.12 443 192.168.1.12 4443 netmask 255.255.255.255ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try this:
object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 100.100.100.10
object network obj-192.168.1.11
host 192.168.1.11
nat (inside,outside) static 100.100.100.11
object network obj-192.168.1.12_8080
host 192.168.1.12
nat (inside,outside) static 100.100.100.12 service tcp 80 8080
object network obj-192.168.1.12_4443
host 192.168.1.12
nat (inside,outside) static 100.100.100.12 service tcp 443 4443
access-list inbound permit tcp any host 192.168.1.11 eq 25
access-list inbound permit tcp any host 192.168.1.11 eq 443
access-list inbound permit tcp any host 192.168.1.10 eq 80
access-list inbound permit tcp any host 192.168.1.10 eq 443
access-list inbound permit tcp any host 192.168.1.12 eq 80
access-list inbound permit tcp any host 192.168.1.12 eq 443
access-group inbound in interface outside
you may as well read the following article:
https://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/A_11175-Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html
hope this helps
max