Solved: ASA 9.x Nat / inbound access query

mvsheik123 · ‎01-12-2016

Hello experts, Question 9.x Nat. ASA sample configuration below..

!

inter Eth0/0

nameif OUTSIDE

Sec-level 0

ip address 1.1.1.10 255.255.255.0 !

!

inter Eth0/1
nameif INSIDE
Sec-level 100
ip address 192.168.100.10 255.255.255.0
!
object network TEST1
host 192.168.3.5
nat (INSIDE,OUTSIDE) static 1.1.1.15
object network TEST2
Subnet 192.168.3.96 255.255.255.248
nat (INSIDE,OUTSIDE) dynamic 1.1.1.15
object network TEST3
subnet 0 0
nat (INSIDE,OUTSIDE) dynamic 1.1.1.20
!
access-list OUT2IN extended permit tcp object XYZ host 192.168.3.5 eq 22
!
Proper routing is in pace and access group applied to Outside interface.
Question is with the above config can XYZ members be able to access .3.5 via 22 and at the same time 1.1.1.15 can be used to static nat
3.5 and pat .97-.102 to internet?
Please suggest.

Thanks in advance
MS

Mohammed al Baqari · ‎01-12-2016

Yes this should work assuming that correct routing in place

View solution in original post

Shivapramod M · ‎01-12-2016

Hi,

Please mention tcp service command in the static NAT statement if you want to allow a specific port for a static NAT.

As Mohammed al Baqari said this looks correct. You can verify by running packet tracer on the ASA.

object network TEST1
host 192.168.3.5
nat (INSIDE,OUTSIDE) static 1.1.1.15 service tcp 22 22

Thanks,
Shivapramod M