03-10-2015 11:59 AM - edited 03-11-2019 10:37 PM
Hello
I have ASA 5510 with 3 X interfaces " inside , DMZ , Outside". We have a solution one server located on DMZ with IP address 192.168.2.10
which published to internet with IP address 193.50.15.23 and we have an internal server with IP address 10.10.60.20 . Our vendor asked us that we have to allow our internal IP 10.10.60.2 to reach public IP address 193.50.15.23 using ping , tcp port 8443 . Any idea . I need to know which configuration i have to apply ?. MY ASA work with IOS v9.X
thanks
Solved! Go to Solution.
03-11-2015 04:59 AM
Hi,
I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.
I think you would need a NAT statement something like this:-
object network INSIDE-NET
subnet 0 0
nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
Ports you can control or restrict using the ACL if required .
Thanks and Regards,
Vibhor Amrodia
03-11-2015 06:06 AM
Hello
+5 for Vibhor , his a great configuration. Just please add static do it as below
1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.
Thanks
please rate all useful information
03-10-2015 02:06 PM
Do you have a site-to-site--or L2L--tunnel established with this vendor?
Which is the internal IP that is assigned the NAT of 193.50.15.23 (192.168.2.10 or 10.10.60.20)?
03-10-2015 11:04 PM
Hello
No L2L or IPsec existing . Our vendor is responsible for the applications which run on internal and DMZ servers . I need to allow my internal IP 10.10.60.20 to reach our public natted ip address 193.50.15.23 . I need to know which configuration should be applied .
Thanks
03-11-2015 04:59 AM
Hi,
I am assuming the 10.10.60.20 behind your inside interface. This is your DMZ server internal IP:- 192.168.2.10 mapped to 193.50.15.23.
I think you would need a NAT statement something like this:-
object network INSIDE-NET
subnet 0 0
nat (inside,dmz) source INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
Ports you can control or restrict using the ACL if required .
Thanks and Regards,
Vibhor Amrodia
03-11-2015 06:06 AM
Hello
+5 for Vibhor , his a great configuration. Just please add static do it as below
1-nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
2- Kindly check if you have configured object for your DMZ and public ip or not , because if you have existing object for these ips , you have to put the existing obj instead of IPs.
Thanks
please rate all useful information
03-11-2015 06:20 AM
Hi,
I would like to differ on the NAT statement that you gave as this statement is incorrect:-
nat (inside,DMZ) source static INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
This should be instead:-
nat (inside,DMZ) source dynamic INSIDE-NET interface destination static 193.50.15.23 192.168.2.10
Thanks and Regards,
Vibhor Amrodia
03-11-2015 06:25 AM
Hello
So this is should be dynamic . can you share why dynamic?.
thanks
03-11-2015 06:30 AM
Hi,
When we are talking about mapping multiple IP address i.e. Inside Net in this case to a single IP i.e. interface in this case , we can never use Static NAT statement. It always have to be dynamic.
Many to one translations always require Dynamic keyword
Thansk and Regards,
Vibhor Amrodia
03-11-2015 06:42 AM
I typed static because he mentioned one ip address .
03-11-2015 06:52 AM
Hi Islam,
Thank you for your response. I think we were both saying the same thing.
I replied because of this. :)
object network INSIDE-NET
subnet 0 0
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide