Cisco ASA 8.2 > 9.8 Upgrade NAT question

Hi,


I'm converting an old 5510 config from 8.2 to run on a 5508-X running 9.8(24). I've done a lot of these so I'm quite confident, however the old firewall has this in the config;


! 
access-list inside_nat_static extended permit tcp host 192.168.1.100 eq 4443 any 
access-list inside_nat_static_1 extended permit tcp host 192.168.1.100 eq 8080 any 
!
static (inside,outside) tcp 123.123.123.106 https access-list inside_nat_static 
static (inside,outside) tcp 123.123.123.106 www access-list inside_nat_static_1
!

Open in new window



I'm not really used to seeing this but this is what I've come up with to replace it;

 

!
object network OBJ-123.123.123.106
host 123.123.123.106
object network OBJ-192.168.1.100
host 192.168.1.100
object service OBJ-TCP-4443
service TCP source eq 4443
object service OBJ-TCP-8080
service TCP source eq 8080
!
object service OBJ-TCP-HTTPS
service TCP source eq https
!
object service OBJ-TCP-WWW
service TCP source eq www
!
nat (inside,outside) source static OBJ-192.168.1.100 OBJ-192.168.1.100 destination static OBJ-123.123.123.106 OBJ-123.123.123.106 service OBJ-TCP-4443 OBJ-TCP-HTTPS
nat (inside,outside) source static OBJ-192.168.1.100 OBJ-192.168.1.100 destination static OBJ-123.123.123.106 OBJ-123.123.123.106 service OBJ-TCP-8080 OBJ-TCP-WWW
!

Open in new window



IS THAT CORRECT? Have I made a mistake? (this firewall wont be going live for a while) So I'd like a second opinion.
LVL 58
Pete LongTechnical ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
I think you can do this but I am going off memory here.

object network OBJ-192.168.1.100-port80
  host 192.168.1.100
  nat (inside,outside) static 123.123.123.106  service tcp 80 8080   <--- I might have the ports backwards.. I can't remember

object network OBJ-192.168.1.100-port443
  host 192.168.1.100
  nat (inside,outside) static 123.123.123.106  service tcp 443 4443   <-- Same here.. they might be backwards.

You can use objects instead of direct IP addresses and ports  but I wanted to simplify what was what.  I believe this is how you would do that.

Now of course you need an ACL on the outside interface to allow port 8080 and 4443 to reach 192.168.1.100.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.