Solved: ASA 5515-X

juanvladimir · ‎06-22-2013

Hi Everyone,

I'm hoping someone can help me out of this misery. I'm setting up an ASA 5515-5 and I can't figure it out how to properly setup STATIC NAT for our email server as well as our remote desktop server.

I have experience with ASA 5505 but this 5515-x is a beast. The 5515-X is currently running ASA version 8.61. Any advise and help will be greatly appreciate it.

Thanks,

Vladimir

Jouni Forss · ‎06-22-2013

Hi,

Do you mean Static NAT or Static PAT?

Static NAT would be using a separate public IP address for each of the servers you mention. Static PAT would be forwarding ports using your ASAs "outside" interfaces public IP address.

Well just to be thorough, heres examples of both

In the below examples I presume that

You have interfaces called "inside" and "outside" and the servers are behind "inside"
Public IP addresses for Static NAT are 1.1.1.1 and 1.1.1.2
You dont have any ACL created and attached to the "outside" interface so we create a new one. If you have an existing ACL then you can simply replace the name of the ACL in the below configuration.

STATIC NAT

Separate public IP address for each server

object network STATIC-SMTP

host 10.10.10.10

nat (inside,outside) static 1.1.1.1

object network STATIC-RDP

host 10.10.10.20

nat (inside,outside) static 1.1.1.2

access-list OUTSIDE-IN remark allow SMTP and RDP to the servers

access-list OUTSIDE-IN permit tcp any object STATIC-SMTP eq smtp

access-list OUTSIDE-IN permit tcp any object STATIC-RDP eq 3389

access-group OUTSIDE-IN in interface outside

STATIC PAT

Using the ASA "outside" interface public IP address for port server

object network STATIC-SMTP

host 10.10.10.10

nat (inside,outside) static interface service tcp smtp smtp

object network STATIC-RDP

host 10.10.10.20

nat (inside,outside) static interface service tcp 3389 3389

access-list OUTSIDE-IN remark allow SMTP and RDP to the servers

access-list OUTSIDE-IN permit tcp any object STATIC-SMTP eq smtp

access-list OUTSIDE-IN permit tcp any object STATIC-RDP eq 3389

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if you need clarification.

- Jouni

View solution in original post

Jouni Forss · ‎06-22-2013

Hi,

Do you mean Static NAT or Static PAT?

Static NAT would be using a separate public IP address for each of the servers you mention. Static PAT would be forwarding ports using your ASAs "outside" interfaces public IP address.

Well just to be thorough, heres examples of both

In the below examples I presume that

You have interfaces called "inside" and "outside" and the servers are behind "inside"
Public IP addresses for Static NAT are 1.1.1.1 and 1.1.1.2
You dont have any ACL created and attached to the "outside" interface so we create a new one. If you have an existing ACL then you can simply replace the name of the ACL in the below configuration.

STATIC NAT

Separate public IP address for each server

object network STATIC-SMTP

host 10.10.10.10

nat (inside,outside) static 1.1.1.1

object network STATIC-RDP

host 10.10.10.20

nat (inside,outside) static 1.1.1.2

access-list OUTSIDE-IN remark allow SMTP and RDP to the servers

access-list OUTSIDE-IN permit tcp any object STATIC-SMTP eq smtp

access-list OUTSIDE-IN permit tcp any object STATIC-RDP eq 3389

access-group OUTSIDE-IN in interface outside

STATIC PAT

Using the ASA "outside" interface public IP address for port server

object network STATIC-SMTP

host 10.10.10.10

nat (inside,outside) static interface service tcp smtp smtp

object network STATIC-RDP

host 10.10.10.20

nat (inside,outside) static interface service tcp 3389 3389

access-list OUTSIDE-IN remark allow SMTP and RDP to the servers

access-list OUTSIDE-IN permit tcp any object STATIC-SMTP eq smtp

access-list OUTSIDE-IN permit tcp any object STATIC-RDP eq 3389

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if you need clarification.

- Jouni

Marvin Rhoads · ‎06-23-2013

Nice reply, Jouni. +5 endorsed.

Best regards from CLUS!

juanvladimir · ‎06-23-2013

Thanks, Jouni. That worked!

I have another question: how do i go about implementing multiple public addresses on the outside interface?

Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

Marvin Rhoads · ‎06-23-2013

Multiple addresses for NAT/PAT are simple - just follow the example Jouni gave and assign the translations from the network that the outside interface already lives on. For instance, his example shows 1.1.1.1 and 1.1.1.2.

If you want to use separate interfaces in separate networks, that's pretty tricky and not done well by an ASA (and maybe not at al depending on what you want to use them for).

juanvladimir · ‎06-23-2013

very helpful. thank you much.

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎06-23-2013

Hi,

Thanks for the endorsement Marvin

Glad it worked for you Juan.

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

- Jouni