Solved: ASA 5505 8.4(1) how to maps multiple inside hosts' ports to one public ip

Zhaofeng Wei · ‎06-23-2011

Hi,

I'm stuck at asa 5505 nat, port forwarding configuration

Here is what i need:

host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100

host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200

host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300

So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.

I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.

sainair · ‎06-28-2011

object service tcp-1.1

service tcp destination range 100 101

object service udp-1.1

service udp destination range 100 101

object service tcp-1.2

service tcp destination range 200 201

object network obj-1.1.1.1-a

host 1.1.1.1

object network obj-1.1.1.1-1-b

host 1.1.1.1

object network obj-1.1.1.1-1-c

host 1.1.1.1

object network obj-192.168.1.1-a

host 192.168.1.1

nat (inside,outside) source static obj-192.168.1.1-a obj-1.1.1.1-a service tcp-1.1 tcp-1.1

!

object network obj-192.168.1.1-b

host 192.168.1.1

nat (inside,outside) source static obj-192.168.1.1-b obj-1.1.1.1-b service udp-1.1 udp-1.1

object network obj-192.168.1.2

host 192.168.1.2

nat (inside,outside) source static obj-192.168.1.2 obj-1.1.1.1-b service tcp-1.2 tcp-1.2

View solution in original post

sainair · ‎06-23-2011

the config should look like this:

object network obj-192.168.1.1

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 100 100

object network obj-192.168.1.2

host 192.168.1.2

nat (inside,outside) static 1.1.1.1 service tcp 200 200

object network obj-192.168.1.3

host 192.168.1.3

nat (inside,outside) static 1.1.1.1 service tcp 300 300

access-list ACL_INBOUND permit tcp any host 192.168.1.1 eq 100

access-list ACL_INBOUND permit tcp any host 192.168.1.2 eq 200

access-list ACL_INBOUND permit tcp any host 192.168.1.3 eq 300

reference links for ASA 8.3 and above NAT configuration:

https://supportforums.cisco.com/docs/DOC-9129

https://supportforums.cisco.com/docs/DOC-12324

Thanks,

Sai

Zhaofeng Wei · ‎06-23-2011

Thanks for your quick reply again!

Sorry, forgot to include another request is

for each host, there're multiple service need to bind to the same IP.

Here is the update

host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100

host1: 192.168.1.1 service tcp/101 >>>>> public ip 1.1.1.1 service tcp/101

host1: 192.168.1.1 service udp/100 >>>>> public ip 1.1.1.1 service udp/100

host1: 192.168.1.1 service udp/101 >>>>> public ip 1.1.1.1 service udp/101

host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200

host2: 192.168.1.2 service tcp/201 >>>>> public ip 1.1.1.1 service tcp/201

Zhaofeng Wei · ‎06-24-2011

Hi, is there any update about this?

sainair · ‎06-28-2011

object service tcp-1.1

service tcp destination range 100 101

object service udp-1.1

service udp destination range 100 101

object service tcp-1.2

service tcp destination range 200 201

object network obj-1.1.1.1-a

host 1.1.1.1

object network obj-1.1.1.1-1-b

host 1.1.1.1

object network obj-1.1.1.1-1-c

host 1.1.1.1

object network obj-192.168.1.1-a

host 192.168.1.1

nat (inside,outside) source static obj-192.168.1.1-a obj-1.1.1.1-a service tcp-1.1 tcp-1.1

!

object network obj-192.168.1.1-b

host 192.168.1.1

nat (inside,outside) source static obj-192.168.1.1-b obj-1.1.1.1-b service udp-1.1 udp-1.1

object network obj-192.168.1.2

host 192.168.1.2

nat (inside,outside) source static obj-192.168.1.2 obj-1.1.1.1-b service tcp-1.2 tcp-1.2

Zhaofeng Wei · ‎06-29-2011

Smart work around idea! Thanks a lot.

sainair · ‎06-29-2011

Zhaofeng,

If all your queries have been answered, could you please mark this question as answered?

Thanks,

Sai

Zhaofeng Wei · ‎06-29-2011

It's marked as Anserwed.

BTW, I just upgraded the ios to 8.4.2, and i don't have to create multiple host object. One object can map to different service object in NAT config.

Thanks a lot for your help.