Cisco ASA 8.4 with single IP - How do to port translation

How do I set up an ASA running 8.4 with a single external IP address to allow incoming connections to a mail server?

I need to have access on (example) 200.200.200.200 to 192.168.100.100 on ports 25,80,443.

I still have my head stuck in 8.2 land!
LVL 2
mvalpredaAsked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
nat (outside, inside) source static any any destination static interface mail-server service obj-svc_mta obj-svc_mta unidirectional
nat (outside, inside) source static any any destination static interface mail-server service obj-svc_web obj-svc_web unidirectional

Open in new window


You will need an access list too.

Most likely:

access-list outside_access_in extended permit object obj-svc_mta any object-group mail-server log disable
access-list outside_access_in extended permit object obj-svc_web any object-group mail-server log disable

Open in new window

0
 
James HIT DirectorCommented:
Using CLI or ASDM?
0
 
mvalpredaAuthor Commented:
CLI.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
object network mail-server
  host <mail server ip>

object service tcp_smtp
  service tcp destination 25

nat (outside, inside) source static any any destination static interface mail-server service tcp_smtp tcp_smtp unidirectional

Open in new window


Here is what the nat statement means:

nat (<incoming interface>,<outgoing interface>) source static <original source object> <translated source object> destination static <original destination object> <translated destination object> service <original service> <translated service> <(optional: unidirectional)>

Open in new window


Should do it for CLI, for ASDM, it is pretty self-explanatory (if you follow the above statement you can deduce what you need to put in there.
0
 
mvalpredaAuthor Commented:
I was looking at the config on the ASA (and a couple of other ones here) and I'm trying to keep them similar. This is what i see on a few.

object-group service obj-svc_mta tcp
 port-object eq 25

object-group service obj-svc_web tcp
 port-object eq 80
 port-object eq 443

object network mail-server
  host <mail server ip>

What would the nat statement look like then? Do I need an access-list?
0
 
mvalpredaAuthor Commented:
Never seen 'unidirectional' before. What does that do?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Makes it a one way NAT statement.  You don't need a 2 way NAT for this.  It defines your "initalization direction", it has a much greater benefit on inside->outside static NAT statements (but is still useful here).

I use it mainly as my "best practice" for security.  And so I know that it will only allow initialization in one direction. (Your dynamic NAT should catch inside->outside anyways)
0
 
mvalpredaAuthor Commented:
Thanks. I will keep that in mind for new deployments.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.