01-11-2017 07:10 AM - edited 03-12-2019 01:45 AM
Dear all,
Currently i have ASA 5506 ( IOS 9.6) and i want to do Nat from DMZ to outside and Outside to DMZ with port 3389.
Do you have command for nat on ASA 5506 with IOS 9.6 ?
Best Regards,
01-11-2017 07:32 AM
From outside to dmz
object service RDP
service tcp source eq 3389
object network dmz_host
host x.x.x.x
object network outside_IP
host y.y.y.y
nat (dmz,outside) source static dmz_host outside_IP service RDP RDP
access-list out_dmz permit tcp any host x.x.x.x eq 3389
access-group out_dmz in interface outside
For dmz to outside
Any dynamic NAT will work and no need for acl as it is going from higher to lower sec
01-12-2017 12:26 AM
Dear Sir,
i'm not clear about NAT some time we use command
nat (dmz,outside) source static dmz_host outside_IP service RDP RDP
and sometime use
object network NR-1010
nat (inside,outside) static interface service tcp 1010 1010
what are different between both NAT ? which recommend to sue?
Or Depend on IOS version ?
Best Regards,
01-12-2017 02:14 AM
both are different purpose also .
nat (dmz,outside) source static dmz_host outside_IP service RDP RDP
Above this for RDP access & twice NAT .
Below this for different purpose - Object NAT
object network NR-1010
nat (inside,outside) static interface service tcp 1010 1010
Are you looking for one to one NAT or how ?
explain your requirement .
Thanks,
Mani.
01-12-2017 03:23 PM
Technically speaking they are doing same thing, translating a source address for a specific port.
nat (dmz,outside) source static dmz_host outside_IP service RDP RDP
The above is a manual NAT/PAT. With that rule you are translating only the source object for RDP service. If you were translating also the destination address, then you are doing the twice NAT/PAT.
object network NR-1010
nat (inside,outside) static interface service tcp 1010 1010
Here the above called object NAT, or auto NAT. With this one you are translating the source IP address defined in the object network NR-1010 to the outside interface IP address for port tcp/1010.
The very important point to keep in mind here is the NAT order. Manual NAT is always being checked before the object NAT. Manual NAT is located in section 1 of the NAT table on the ASA. The first match will be applied, from top to bottom as you see it on the configuration lines, very similar to the way ACL matching work. You can place the manual NAT in section 3 which is after the object NAT section by using the keyword after-auto similar to the following example:
nat (dmz,outside) after-auto source static dmz_host outside_IP service RDP RDP
You can verify the NAT sections with the command "sh nat".
Instead the object NAT order is different and quite tricky. The preference would be for the object that has less IP addresses, if equal, the one with lowest IP address, if equal then based on the object alphabetical names. Have a look at these links please:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wp1118157
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Regards,
Aref
01-11-2017 09:05 AM
Do you want for only single host ? All dmz hosts want ?
If you want only single host ? Does outside user want to communicate same ip (natted public ip) .
Can you elabrate your requirement ?.
Thanks,
Mani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide