topic new configuration in Network Security

new configuration

aspilman — Tue, 12 Mar 2019 00:09:20 GMT

I just got a new 5505 with ver 8.4.4.1 and the command "static (inside,outside)" no longer works. It looks like "object network" is the way to go now but I'm running into some problems getting it to work. I have 5 public ip addresses x.x.x.81, x.x.x.82,x.x.x.83,x.x.x.84,x.x.x.85 I want to

1. Assign x.x.x.81 to the ouside interface

2. Use PAT on the outside interface

3. Map various "ip address/port" from the outside to the inside.

x.x.x.81 port 9426 to 192.168.1.50 port 379

x.x.x.82 port 651 to 192.168.1.75 port 592

Thanks for the help,

--Aaron

new configuration

Marvin Rhoads — Tue, 16 Oct 2012 03:30:38 GMT

It should work. The static NAT rules (#3 in your listing) will be processed first order-wise. Then the dynamic NAT (#2 above). #1 is simply your interface configuration.

Reference the configuration guide section on NAT.

new configuration

aspilman — Tue, 16 Oct 2012 15:21:40 GMT

I'm really not looking for an education here just want this new device that I bought to work. Why should I support Cisco if I can't get some help configuring the device.

I tried this and it did not work.

ciscoasa(config)# object network pat-ip1
ciscoasa(config-network-object)# host x.x.x.81
ciscoasa(config-network-object)# object-group network nat-pat-grp
ciscoasa(config-network-object-group)# network-object object pat-ip1
ciscoasa(config-network-object-group)# object network my_net_obj1
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic nat-pat-grp inte$
ERROR: Address x.x.x.81 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

ciscoasa(config)# object network pat-ip1
ciscoasa(config-network-object)# host x.x.x.81
ciscoasa(config-network-object)# object-group network nat-pat-grp
ciscoasa(config-network-object-group)# network-object object pat-ip1
ciscoasa(config-network-object-group)# object network my_net_obj1
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
ERROR: Address x.x.x.81 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

new configuration

Harish Balakrishnan — Tue, 16 Oct 2012 16:29:49 GMT

Hello Aaron,

Here you go with the configuration

1.Assign the first IP for outside interface

interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.1.1.81 255.255.255.248

2.Use PAT on the outside interface

object network INSIDE_NW
subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source dynamic INSIDE_NW interface

3. Map various "ip address/port" from the outside to the inside.

x.x.x.81 port 9426 to 192.168.1.50 port 379

x.x.x.82 port 651 to 192.168.1.75 port 592

Here If you are using different port and different servers ( port should not repeat), you can use same outside interface IP to do that so that you can preserve public IP

Let us see how to port forward 9426 to 192.168.1.50 port 379 using outside interface

object network HOST_192.168.1.50
host 192.168.1.50

object service REAL_SERVICE
service tcp source eq 379

object service MAPPED_SERVICE
service tcp source eq 9426

nat (inside,outside) source static HOST_192.168.1.50 interface service REAL_SERVICE MAPPED_SERVICE

access-list outside_in extended permit tcp any host 192.168.1.50 eq 379

access-group outside_in in interface outside

Let me know how does it go with you.

Harish.

new configuration

aspilman — Tue, 16 Oct 2012 20:50:36 GMT

Harish, Thank you for your answer it has helped me alot.

I do have a couple of questions.

nat (inside,outside) source static HOST_192.168.1.50 interface service REAL_SERVICE MAPPED_SERVICE

Does "interface" tell this to use the outside interface? How would I modify this to map x.x.x.82 to 192.168.1.14 using port 3389 inside and outside?

object network Host_192.168.1.14

host 192.168.1.14

object network Host_x.x.x.82

host x.x.x.82

object service Real_RemoteDesktop

service tcp source eq 3389

nat (inside,outside) source static Host_192.168.1.14 static Host_x.x.x.82 service Real_RemoteDesktop Real_RemoteDesktop

(This last statment throws an error after the 'r' in service. "Invalid input detected at '^' marker.")

Thanks,

--Aaron

new configuration

Harish Balakrishnan — Wed, 17 Oct 2012 10:37:47 GMT

Hello Aaron,

Yes the interface is the outside interface.

And for the second mapping , you are almost done and the last line can be modified as follows

nat (inside,outside) source static Host_192.168.1.14 Host_x.x.x.82 service Real_RemoteDesktop Real_RemoteDesktop

Hope this helps

also add this also in the ACl to permit the traffic as follows

access-list outside_in extended permit tcp any host 192.168.1.14 eq 3389

Let me know if you face any issue

Harish.

new configuration

aspilman — Wed, 17 Oct 2012 13:08:50 GMT

Harish,

Thank you for your help.

--Aaron