LuiLui77
asked on
Configuring NAT in ASA ver. 9.1
Hello All,
I have configured Static NAT to allow HTTP traffic from the outside to reach my server in the DMZ. In order to accomplish this i did the following:
- I created a new Network object for my DMZ server
- specified static translation to one of the public IP addresses in the range available
- Create an ACL on the outside interface to allow HTTP traffic to my DMZ server object
This configuration proved to work properly, but I have found some NAT configuration explanations in the web where they start by creating the External outside address as a Network Object, then they configure static NAT to the DMZ server IP in the same network object creation window and lastly they create an ACL to allow HTTP traffic to the outside IP address. I gave this configuration a shot and it does not work for me in my lab environment.
Is this last configuration possible?
I have configured Static NAT to allow HTTP traffic from the outside to reach my server in the DMZ. In order to accomplish this i did the following:
- I created a new Network object for my DMZ server
- specified static translation to one of the public IP addresses in the range available
- Create an ACL on the outside interface to allow HTTP traffic to my DMZ server object
This configuration proved to work properly, but I have found some NAT configuration explanations in the web where they start by creating the External outside address as a Network Object, then they configure static NAT to the DMZ server IP in the same network object creation window and lastly they create an ACL to allow HTTP traffic to the outside IP address. I gave this configuration a shot and it does not work for me in my lab environment.
Is this last configuration possible?
ASKER
Hey Pete, check this out, how I first configured it was:
object network DMZ-web-server
host 172.16.1.10
nat (dmz,outside) static 209.165.201.10
access-list outside_access_in line 1 extended permit tcp any object DMZ-web-server eq http
access-group outside_access_in in interface outside
How I have seen it in some examples on the web:
object network Outside_Address
host 209.165.201.10
nat (outside,dmz) static 172.16.1.10
access-list outside_access_in_1 line 1 extended permit tcp any object Outside_Address eq http
access-group outside_access_in_1 in interface outside
which is kind of all the way around, is creating the Outside Address as the network object and configuring NAT from there. Is the last one possible?
object network DMZ-web-server
host 172.16.1.10
nat (dmz,outside) static 209.165.201.10
access-list outside_access_in line 1 extended permit tcp any object DMZ-web-server eq http
access-group outside_access_in in interface outside
How I have seen it in some examples on the web:
object network Outside_Address
host 209.165.201.10
nat (outside,dmz) static 172.16.1.10
access-list outside_access_in_1 line 1 extended permit tcp any object Outside_Address eq http
access-group outside_access_in_1 in interface outside
which is kind of all the way around, is creating the Outside Address as the network object and configuring NAT from there. Is the last one possible?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are right Pete, thanks!
The way you did it
object network OBJ-DMZ-Server
host 192.168.100.100
nat (inside,outside) static 123.123.123.123
access-list inbound permit tcp any object OBJ-DMZ-Server eq www
access-group inbound in interface outside
The other Way
object network OBJ-DMZ-Server
host 192.168.100.100
object network OBJ-Public-IP
host 123.123.123.123
nat (inside,outside) static OBJ-PublicIP
access-list inbound permit tcp any object OBJ-DMZ-Server eq www
access-group inbound in interface outside
As for doing this in the ASDM I don't have a Scooby, I don't use it sorry.
Pete