asked on

Cisco ASA 8.4 with single IP - How do to port translation

How do I set up an ASA running 8.4 with a single external IP address to allow incoming connections to a mail server?

I need to have access on (example) 200.200.200.200 to 192.168.100.100 on ports 25,80,443.

I still have my head stuck in 8.2 land!

James H

Using CLI or ASDM?

mvalpreda

ASKER

CLI.

SOLUTION

Daniel Sheppard

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mvalpreda

ASKER

I was looking at the config on the ASA (and a couple of other ones here) and I'm trying to keep them similar. This is what i see on a few.

object-group service obj-svc_mta tcp
port-object eq 25

object-group service obj-svc_web tcp
port-object eq 80
port-object eq 443

object network mail-server
host <mail server ip>

What would the nat statement look like then? Do I need an access-list?

ASKER CERTIFIED SOLUTION

Daniel Sheppard

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mvalpreda

ASKER

Never seen 'unidirectional' before. What does that do?

Daniel Sheppard

Makes it a one way NAT statement. You don't need a 2 way NAT for this. It defines your "initalization direction", it has a much greater benefit on inside->outside static NAT statements (but is still useful here).

I use it mainly as my "best practice" for security. And so I know that it will only allow initialization in one direction. (Your dynamic NAT should catch inside->outside anyways)

mvalpreda

ASKER

Thanks. I will keep that in mind for new deployments.