Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11224
Views
0
Helpful
4
Replies

ASA 8.4 Nat multiple ports and destinations with one IP

PPierce
Level 1
Level 1

‎11-02-2011 11:44 AM - edited ‎03-11-2019 02:45 PM

I have a site with a web server (192.168.1.10) needs 80 and 443.  Then I have a phone system (192.168.1.11) that needs tftp and rtp traffic (ports 10000-20000). finally I have a terminal server needing RDP 3389.  now I only have one external IP address that is feed via DHCP from the provider (i use DynDNS).  What is the best solution to open and direct all of the ports to the appropriate server.  i am really not looking forward to adding 10k nat rules for all the rtp traffic.

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-02-2011 04:01 PM

Hello,

I assume that the IP is the one that is on the interface of the outside right? I see a problem here and it is that you will need to change the ssl port in order to access ASDM from the outside. But besides that, the good port forwarding can help you to overcome this issue:

8.4 code

object service TFTP

service tcp source eq 69

object service RTP-PORTS

service udp range source 10000 20000

object service HTTP

service tcp source eq 80

object service HTTPS

service tcp source eq 443

object service RDP

service tcp source eq 3389

object network RDP-server

host x.x.x.x

object network Web-server

host 192.168.1.10

object network Voice-server

host 192.168.1.11

nat (inside,outside) 1 source static Voice-server interface service RTP-PORTS RTP-PORTS

nat (inside,outside) 1 source static Voice-server interface service TFTP TFTP

nat (inside,outside) 1 source static Web-server interface service HTTPS

nat (inside,outside) 1 source static Web-server interface service HTTP

nat (inside,outside) 1 source static RDP-server interface service RDP RDP

Where line 1 is the position on the NAT list in order to be review by the ASA code and create the translations (Also assuming the names of the interfaces are inside (LAN)  and outside (WAN)

8.2 code the NAT with the range of ports is not supported, that means you will need to add 10000 lines not very good idea, but the other ones will work as this:

static (inside,outside) tcp interface 3389 x.x.x.x 3389

static (inside,outside) udp interface 69 192.168.1.11 69

static (inside,outside) tcp interface 80 192.168.1.10 80

static (inside,outside) tcp interface 443 192.168.1.10 443

For versions 8.2 and below, in the access list you will need to allow traffic to the interface IP address itself, for versions 8.3 and newer, you will need to add and access-list pointing to the private IP.

Example of 8.2

access-list inbound permit tcp any interface outside eq 80

Example of 8.3

access-list inbound permit tcp any host 192.168.1.10 eq 80

access-groups are applied the same

access-group inbound in interface outside

Here are some documents that will help you out.

Cofiguring NAT on the security Appliance using version 8.4

https://supportforums.cisco.com/videos/1078

8.2 Vs 8.4 NAT statements:

https://supportforums.cisco.com/docs/DOC-12690

If you have any doubts, let me know.

Mike

Mike
0 Helpful

tuva02100
Level 1
Level 1
In response to Maykol Rojas

‎05-06-2012 02:38 AM

Hi

I just needed the same setup on my asa, but this did not wok on my asa 8.4

To make my nat function right i needed to put :

nat (Outside,Byggmakker) source static any *my official ip*                   destination static *my officia ip*  *my private ip *                  HTTPS HTTPS

this is for the server to listen to incoming  on port 25.

why does the setup

nat (inside,outside) 1 source static Web-server interface service HTTPS  not work ? 

i tried like the example :

nat (Byggmakker,Outside) source static *myprivateip*   *my official ip* service FTP_nat FTP_nat

but it does not work.   why ?

br

Tuva

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to tuva02100

‎05-06-2012 06:50 PM

Tuva,

That is because I have an error on the configuration I posted back in November. The correct statement will be with source keyword inside the object rather than destination. I am editing as I am typing.

object service HTTPS

service tcp destination eq 443

Correct one

object service HTTPS

service tcp Source eq 443

That is why it works for you if you put it (outside,Byggmakker) and you specify the destination on the stament.  Change the service object for source and it will work.

Mike

Mike
0 Helpful

tuva02100
Level 1
Level 1
In response to Maykol Rojas

‎05-07-2012 01:14 AM

Thanks for reply – does it really matter if I’ll let itt stay the way it does ? ☺

Mvh

Tuva

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card