mvalpreda
asked on
Cisco ASA 8.4 with single IP - How do to port translation
How do I set up an ASA running 8.4 with a single external IP address to allow incoming connections to a mail server?
I need to have access on (example) 200.200.200.200 to 192.168.100.100 on ports 25,80,443.
I still have my head stuck in 8.2 land!
I need to have access on (example) 200.200.200.200 to 192.168.100.100 on ports 25,80,443.
I still have my head stuck in 8.2 land!
Using CLI or ASDM?
ASKER
CLI.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was looking at the config on the ASA (and a couple of other ones here) and I'm trying to keep them similar. This is what i see on a few.
object-group service obj-svc_mta tcp
port-object eq 25
object-group service obj-svc_web tcp
port-object eq 80
port-object eq 443
object network mail-server
host <mail server ip>
What would the nat statement look like then? Do I need an access-list?
object-group service obj-svc_mta tcp
port-object eq 25
object-group service obj-svc_web tcp
port-object eq 80
port-object eq 443
object network mail-server
host <mail server ip>
What would the nat statement look like then? Do I need an access-list?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Never seen 'unidirectional' before. What does that do?
Makes it a one way NAT statement. You don't need a 2 way NAT for this. It defines your "initalization direction", it has a much greater benefit on inside->outside static NAT statements (but is still useful here).
I use it mainly as my "best practice" for security. And so I know that it will only allow initialization in one direction. (Your dynamic NAT should catch inside->outside anyways)
I use it mainly as my "best practice" for security. And so I know that it will only allow initialization in one direction. (Your dynamic NAT should catch inside->outside anyways)
ASKER
Thanks. I will keep that in mind for new deployments.