Cisco ASA 8.4 with single IP - How do to port translation

How do I set up an ASA running 8.4 with a single external IP address to allow incoming connections to a mail server?

I need to have access on (example) 200.200.200.200 to 192.168.100.100 on ports 25,80,443.

I still have my head stuck in 8.2 land!
LVL 2
mvalpredaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James HIT DirectorCommented:
Using CLI or ASDM?
0
mvalpredaAuthor Commented:
CLI.
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
object network mail-server
  host <mail server ip>

object service tcp_smtp
  service tcp destination 25

nat (outside, inside) source static any any destination static interface mail-server service tcp_smtp tcp_smtp unidirectional

Open in new window


Here is what the nat statement means:

nat (<incoming interface>,<outgoing interface>) source static <original source object> <translated source object> destination static <original destination object> <translated destination object> service <original service> <translated service> <(optional: unidirectional)>

Open in new window


Should do it for CLI, for ASDM, it is pretty self-explanatory (if you follow the above statement you can deduce what you need to put in there.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

mvalpredaAuthor Commented:
I was looking at the config on the ASA (and a couple of other ones here) and I'm trying to keep them similar. This is what i see on a few.

object-group service obj-svc_mta tcp
 port-object eq 25

object-group service obj-svc_web tcp
 port-object eq 80
 port-object eq 443

object network mail-server
  host <mail server ip>

What would the nat statement look like then? Do I need an access-list?
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
nat (outside, inside) source static any any destination static interface mail-server service obj-svc_mta obj-svc_mta unidirectional
nat (outside, inside) source static any any destination static interface mail-server service obj-svc_web obj-svc_web unidirectional

Open in new window


You will need an access list too.

Most likely:

access-list outside_access_in extended permit object obj-svc_mta any object-group mail-server log disable
access-list outside_access_in extended permit object obj-svc_web any object-group mail-server log disable

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mvalpredaAuthor Commented:
Never seen 'unidirectional' before. What does that do?
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Makes it a one way NAT statement.  You don't need a 2 way NAT for this.  It defines your "initalization direction", it has a much greater benefit on inside->outside static NAT statements (but is still useful here).

I use it mainly as my "best practice" for security.  And so I know that it will only allow initialization in one direction. (Your dynamic NAT should catch inside->outside anyways)
0
mvalpredaAuthor Commented:
Thanks. I will keep that in mind for new deployments.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.