Solved: Re: NAT for Beginners Question

John Rener · ‎11-16-2017

Hello All,

I am very new in using the CISCO ASA. I've watched tons of videos already but my brain freezes for some reason. I bought this firewall and can't configured it properly, can someone help me please. I am trying to learn how to allow any host to communicate.

Example my public IP is 200.100.25.20 and my private IP is 10.17.1.10

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
static (inside,outside) 10.17.1.10 10.17.1.10 netmask 255.255.255.255

or should I use this

static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255
or

static (outside,inside) 10.17.1.10 200.100.25.20 netmask 255.255.255.255

access-group OUTSIDE_NET in interface outside
access-group INSIDE_NET in interface inside

Am I in the right track? Did I miss anything? I wanted to be able to access my test webserver from the outside network?

Florin Barhala · ‎05-04-2018

Hello John,

If you're still using 8.2 you should use
static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255

Bear in mind that if you use ASDM or SSH over the outside interface adding this STATIC NAT statement will cut your access as both 443 and 22 will get translated to the 10.17.1.10.

As a glitch if the above statement doesn't work please use "interface" keyword.

static (inside,outside) interface 10.17.1.10 netmask 255.255.255.255

Last but not least you can use STATIC PAT only for port 80 or 443:
static (inside,outside) tcp interface 80 10.17.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.17.1.10 443 netmask 255.255.255.255

Now that we have taken care of NAT, let's revisit firewall aka ACL:
- you used access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
This will work if you have 8.3 or higher software version.
- instead use:
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 80
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 443
I am assuming that you will apply OUTSIDE_NET ACL on the outside interface: access-group OUTSIDE_NET in interface outside

Good luck!

View solution in original post

Jon Marshall · ‎11-16-2017

Can you just confirm -

1) what is the ASA version of software you are running

2) is the public IP you want to use for your web server the same IP assigned to your outside interface or a different one

Jon

John Rener · ‎11-16-2017

This is only running v8.2

This public is coming from a PAT from another firewall. I'm actually behind another firewall. Is that what you're referring as outside interface?

John Rener · ‎05-03-2018

I appreciate any input, thank you.

Florin Barhala · ‎05-04-2018

Hello John,

If you're still using 8.2 you should use
static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255

Bear in mind that if you use ASDM or SSH over the outside interface adding this STATIC NAT statement will cut your access as both 443 and 22 will get translated to the 10.17.1.10.

As a glitch if the above statement doesn't work please use "interface" keyword.

static (inside,outside) interface 10.17.1.10 netmask 255.255.255.255

Last but not least you can use STATIC PAT only for port 80 or 443:
static (inside,outside) tcp interface 80 10.17.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.17.1.10 443 netmask 255.255.255.255

Now that we have taken care of NAT, let's revisit firewall aka ACL:
- you used access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
This will work if you have 8.3 or higher software version.
- instead use:
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 80
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 443
I am assuming that you will apply OUTSIDE_NET ACL on the outside interface: access-group OUTSIDE_NET in interface outside

Good luck!