Solved

Cisco ASA post 8.3 NAT/PAT Examples

Posted on 2015-01-02
4
335 Views
Last Modified: 2015-04-18
Hi gurus,

I'm going from Cisco ASA 8.2 to 9.2 and obviously the biggest change is NAT/PAT statements.  I've gotten a decen understanding of it, but would like a better explanation with the given below example:

Server A = 192.168.1.10
Server B = 192.168.1.11
Server C = 192.168.1.12
Access-list = inbound
inside interface = LAN
outside interface = Public

1) NAT Server A with Public IP of 100.100.100.10
2) NAT Server B with Public IP of 100.100.100.11
3) NAT Server C with Public IP of 100.100.100.11
4) open Public ports 25 and 443 on 100.100.100.10 and map to Server B
5) open Public ports 80 and 443 on 100.100.100.11 and map to Server A
6) open Public ports 80 and 443 on 100.100.100.12 and remap to Server C on ports 8080 and 4443 respectively.







1) what's the
0
Comment
Question by:jetli87
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 40529036
hi,
try this:

object network obj-192.168.1.10
 host 192.168.1.10
nat (inside,outside) static 100.100.100.10

object network obj-192.168.1.11
 host 192.168.1.11
nat (inside,outside) static 100.100.100.11

object network obj-192.168.1.12_8080
 host 192.168.1.12
nat (inside,outside) static 100.100.100.12 service tcp 80 8080

object network obj-192.168.1.12_4443
 host 192.168.1.12
nat (inside,outside) static 100.100.100.12 service tcp 443 4443

access-list inbound permit tcp any host 192.168.1.11 eq 25
access-list inbound permit tcp any host 192.168.1.11 eq 443

access-list inbound permit tcp any host 192.168.1.10 eq 80
access-list inbound permit tcp any host 192.168.1.10 eq 443

access-list inbound permit tcp any host 192.168.1.12 eq 80
access-list inbound permit tcp any host 192.168.1.12 eq 443


access-group inbound in interface outside

you may as well read the following article:
http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/A_11175-Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html

hope this helps
max
0
 
LVL 1

Author Comment

by:jetli87
ID: 40529311
thanks for the reply but it doesn't work as desired.

I basically need the following two things to happen:

(1) With ServerA @ 192.168.1.10, I need an outbound static NAT for 100.100.100.10, i.e. when the server makes an outbound connection, the source address is 100.100.100.10.
(2) For inbound, I need ports 80 & 443 on 100.100.100.11 to be mapped to ServerA @ 192.168.1.10.

Thus, ServerA outbound = 100.100.100.10, but inbound = 100.100.100.11.

Your above code achieves (1), but not (2), as inbound connections for 80 & 443 are mapped to 100.100.100.10, not 100.100.100.11.

I hope that makes sense.
0
 
LVL 1

Author Comment

by:jetli87
ID: 40529330
Below is the pre 8.3 code that has worked for me:

access-list ServerA permit ip host 192.168.1.10 any 

access-list ServerBC line 1 extended permit ip host 192.168.1.11 any
access-list ServerBC line 2 extended permit ip host 192.168.1.12 any

access-list inbound permit tcp any host 100.100.100.10 eq 25
access-list inbound permit tcp any host 100.100.100.10 eq 443
access-list inbound permit tcp any host 100.100.100.11 eq 80
access-list inbound permit tcp any host 100.100.100.11 eq 443
access-list inbound permit tcp any host 100.100.100.12 eq 80
access-list inbound permit tcp any host 100.100.100.12 eq 443

access-group inbound in interface outside

global (outside) 2 100.100.100.10
global (outside) 3 100.100.100.11

nat (inside) 2 access-list ServerA     
nat (inside) 3 access-list ServerBC   
 
static (inside,outside) tcp 100.100.100.10 25 192.168.1.11 25 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.10 443 192.168.1.11 443 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.11 80 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.11 25 192.168.1.10 443 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.12 80 192.168.1.12 8080 netmask 255.255.255.255
static (inside,outside) tcp 100.100.100.12 443 192.168.1.12 4443 netmask 255.255.255.255

Open in new window

0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40535187
Hi,
try this:

object network obj-192.168.1.10_25
 host 192.168.1.10
 nat (inside,outside) static 100.100.100.11 service tcp 25 25
 
object network obj-192.168.1.10_443
 host 192.168.1.10
 nat (inside,outside) static 100.100.100.11 service tcp 443 443
 
access-list inbound permit tcp any host 192.168.1.10 eq 25
access-list inbound permit tcp any host 192.168.1.10 eq 443
 
object network obj-192.168.1.10
 host 192.168.1.10
nat (inside,outside) dynamic 100.100.100.10

hope this helps
max
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall multiple ISP configuration 5 55
Access List 2 18
WAN Site Edge Routers 15 49
Cisco Switch Port Security 2 33
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
A short film showing how OnPage and Connectwise integration works.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now