ASA 5500 - NAT Question

spencermoore · ‎12-19-2014

I would like to create a NAT rule that includes multiple original services. Currently, I am only able to add one original service even though I have service groups configured on the device. I need a public address translated to a private address, but only for X services i.e only apply the policy if the ports used are port 233, 344, 555. Do I have to configure a new rule for each service? This was possible on our current, legacy device. Surely I'm missing something..

davedoggydogg · ‎12-19-2014

yes its bettery to do one for each service here is the example of the commands if u were to add port 80 for a web server and if you named your interfaces inside and outside respectively:

object network HTTPSERVER

host 192.1.50.60

nat (inside,outside) static interface service tcp 80 80

object network INSIDE
nat (inside,outside) dynamic interface

object network HTTPSERVER
nat (inside,outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object HTTPERVER eq 80

access-group Outside_access_in in interface Outside

here is another example of the commands if u were to add port 80 for a web server and if you named your interfaces inside and outside respectively:

object network PCPORT233

host 192.1.50.50

nat (inside,outside) static interface service tcp 233 233

object network INSIDE
nat (inside,outside) dynamic interface

object network PCPORT233
nat (inside,outside) static interface service tcp 233 233

access-list Outside_access_in extended permit tcp any object PCPORT233 eq 233

access-group Outside_access_in in interface Outside