Cisco ASA 8.2 > 9.8 Upgrade NAT question

Hi,


I'm converting an old 5510 config from 8.2 to run on a 5508-X running 9.8(24). I've done a lot of these so I'm quite confident, however the old firewall has this in the config;


! 
access-list inside_nat_static extended permit tcp host 192.168.1.100 eq 4443 any 
access-list inside_nat_static_1 extended permit tcp host 192.168.1.100 eq 8080 any 
!
static (inside,outside) tcp 123.123.123.106 https access-list inside_nat_static 
static (inside,outside) tcp 123.123.123.106 www access-list inside_nat_static_1
!

Open in new window



I'm not really used to seeing this but this is what I've come up with to replace it;

 

!
object network OBJ-123.123.123.106
host 123.123.123.106
object network OBJ-192.168.1.100
host 192.168.1.100
object service OBJ-TCP-4443
service TCP source eq 4443
object service OBJ-TCP-8080
service TCP source eq 8080
!
object service OBJ-TCP-HTTPS
service TCP source eq https
!
object service OBJ-TCP-WWW
service TCP source eq www
!
nat (inside,outside) source static OBJ-192.168.1.100 OBJ-192.168.1.100 destination static OBJ-123.123.123.106 OBJ-123.123.123.106 service OBJ-TCP-4443 OBJ-TCP-HTTPS
nat (inside,outside) source static OBJ-192.168.1.100 OBJ-192.168.1.100 destination static OBJ-123.123.123.106 OBJ-123.123.123.106 service OBJ-TCP-8080 OBJ-TCP-WWW
!

Open in new window



IS THAT CORRECT? Have I made a mistake? (this firewall wont be going live for a while) So I'd like a second opinion.
LVL 58
Pete LongTechnical ConsultantAsked:
Who is Participating?
 
Ken BooneNetwork ConsultantCommented:
I think you can do this but I am going off memory here.

object network OBJ-192.168.1.100-port80
  host 192.168.1.100
  nat (inside,outside) static 123.123.123.106  service tcp 80 8080   <--- I might have the ports backwards.. I can't remember

object network OBJ-192.168.1.100-port443
  host 192.168.1.100
  nat (inside,outside) static 123.123.123.106  service tcp 443 4443   <-- Same here.. they might be backwards.

You can use objects instead of direct IP addresses and ports  but I wanted to simplify what was what.  I believe this is how you would do that.

Now of course you need an ACL on the outside interface to allow port 8080 and 4443 to reach 192.168.1.100.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.