topic You could do something like in Network Security

multiple inside hosts to a single external ip

Carlomd — Tue, 12 Mar 2019 04:07:31 GMT

Hello,

We have a new time clock service and have a few users that need to be able to remotely clock in to this service, the site's security system need to be able to see a publicly accessible ip, but I have limited public ip's left and I won't be able to nat them all 1 to 1, so is there a way to make this happen on the ASA, have multiple internal hosts nat'd or mapped to a single external ip. Any ideas or pointers would be great.

thanks,

Carlo

Hello Carlo,This sounds like

joseoroz — Fri, 25 Apr 2014 22:59:53 GMT

Hello Carlo,

This sounds like you need a port forwarding. If your clock works with port 123/UDP you can create a NAT rule to NAT that port to a Public IP even if the IP has been used on another static translation (This applies to 1 to 1 translations).

As you know this is going to overlap however its possible and the firewall can map that single PORT from the public IP to the private IP of the server.

This file has examples of NAT on code pre 8.3 and post:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

This is an example how the configuration will look on code 8.2

static (inside,outside) A.A.A.A X.X.X.X netmask 255.255.255.255

static (inside,outside) udp A.A.A.A 123 B.B.B.B 123 netmask 255.255.255.255

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html

Hope you find this information helpful.

Yes, you can NAT all of the

lanbrown — Fri, 25 Apr 2014 23:01:34 GMT

Yes, you can NAT all of the users behind a single IP or even use the interface IP of the egress interface. What version of code are you running on your ASA? The newer versions of code allows you to use a pool which doesn't require each host to have a unique external IP.

Thanks for the reply, I'm on

Carlomd — Sat, 26 Apr 2014 00:04:29 GMT

Thanks for the reply, I'm on v9.1

I don't know what the port is

Carlomd — Sat, 26 Apr 2014 00:07:05 GMT

I don't know what the port is, we login through the web, and looks like the site controls the access, cause when I logged in from a internal ip that's not nat'd to an outside it failed to login.

Hi Jose, do you have any

Carlomd — Mon, 28 Apr 2014 16:13:01 GMT

Hi Jose, do you have any sample code or docs for v9.1, looks like the site is port 80 but then it goes to https for the login to the time clock system. I need to get a few clients to be able to nat to a single ip externally so they can clock in to this site. Any pointers would be great

You could do something like

Marius Gunnerud — Tue, 29 Apr 2014 11:05:53 GMT

You could do something like the following:

object service PORT
service udp destination eq ntp

object-group network SERVERS
network-object host 1.1.1.2
network-object host 1.1.1.3
network-object host 1.1.1.4
network-object host 1.1.1.5

nat (inside,outside) source static SERVERS interface service PORT PORT

Please remember to select a correct answer and rate

Thanks for the reply Marius,

Carlomd — Tue, 29 Apr 2014 18:15:04 GMT

Thanks for the reply Marius, somehow I think the time clock site's admins may have done something cause it works now for anyone inside our network without me doing anything on the ASA, I'll keep the code handy for future needs, thanks again.