11-03-2015 04:48 AM - edited 03-11-2019 11:49 PM
Hello experts,
One question on ASA 9.x (or post 8.2) Nat-
Scenario: 2 internal hosts PAT'd one public IP (not interface IP). Users from internet able to reach one of the hosts on 'https'. What is recomended config?
Object network TEST
subnet 192.168.1.0 255.255.255.252 --> .1 and .2 are internal hosts.
nat(DMZ,OUTSIDE) dynamic 5.5.5.5 --->public ip from pool of assigned IPs.
!
Can I create ACL with 'https' access pointing to 192.168.1.1 or I need to create seperate objects for both hosts and add nat statements with public IP and then create ACL for required object?
Thanks in advance
MS
Solved! Go to Solution.
11-03-2015 10:21 PM
Hi there,
In addition to what shiva has mentioned, You could have two ways to implement your requirement :
1st :
object net obj-192.168.1.1-2
range 192.168.1.1 192.168.1.2
nat(dmz,outside) dynamic 5.5.5.5
object net ob-192.168.1.1
host 192.168.1.1
nat (dmz,outside) static 5.5.5.5 service tcp 443 443
With this you would be able to go out to internet with dynamic nat for both the IP. However for 5.5.5.5 on port 443 from ouside, asa would redirect to 192.168.1.1 to inside.
2nd :
object net obj-192.168.1.1-2
range 192.168.1.1 192.168.1.2
nat (dmz,outside) static 5.5.5.5
In this scenario(many to one) your both the internal IP would be able to go with single IP 5.5.5.5 while the for outside world, if they try to access 5.5.5.5 then asa would send it to 192.168.1.1(lowest ip/ first ip in that pool). Then restrict your inbound traffic with the help of access-list
Therefore in both the cases you need to create an access-list on outside for 192.168.1.1 for https as Outside user would be able to access only 1.1
Hope that helps.
Regards,
Akshay Rastogi
11-03-2015 05:52 AM
Hi,
As per my understanding you are trying to create a NAT so that the users from the outside can access the internal servers. Please correct me if my understanding about the issue is wrong.
If this is the case then you can configure the static NAT, which is a bidirectional NAT. You have to configure the ACL permitting the real IP address.
object network obj-192.168.1.1
host 192.168.1.1
nat (DMZ,outside) static 5.5.5.5
object network obj-192.168.1.2
host 192.168.1.2
nat (DMZ,outside) static 5.5.5.6
In the above configuration we use two outside IP but we can do the translation based on the destination port or the mapped port using a single IP also.
For more information about the NAT you can refer the below documennt which explains different ways to conifgure the NAT on ASA.
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Thanks,
Shivapramod M
11-03-2015 07:07 PM
Hi Shivapramod.
Thanks for the reply. But in my scenario, only one public IP (ex: 5.5.5.5 to be used by .1 and .2). In addtion to that .1 needs to be access from outside world (https://xyz: 5.5.5.5 ->internally .1).
Thx
MS
11-03-2015 09:58 PM
Hi,
You can configure a static NAT rule with the port.
object network obj-192.168.1.1
host 192.168.1.1
nat (DMZ, outside) static 5.5.5.5 service tcp https https
So if the traffic comes to the ASA on port 443 then it will translate to the internal IP and it will keep the same destination port.
What is the requirement for 192.168.1.2? Are you trying to access this from internet?
Thanks,
Shivapramod M
11-03-2015 10:21 PM
Hi there,
In addition to what shiva has mentioned, You could have two ways to implement your requirement :
1st :
object net obj-192.168.1.1-2
range 192.168.1.1 192.168.1.2
nat(dmz,outside) dynamic 5.5.5.5
object net ob-192.168.1.1
host 192.168.1.1
nat (dmz,outside) static 5.5.5.5 service tcp 443 443
With this you would be able to go out to internet with dynamic nat for both the IP. However for 5.5.5.5 on port 443 from ouside, asa would redirect to 192.168.1.1 to inside.
2nd :
object net obj-192.168.1.1-2
range 192.168.1.1 192.168.1.2
nat (dmz,outside) static 5.5.5.5
In this scenario(many to one) your both the internal IP would be able to go with single IP 5.5.5.5 while the for outside world, if they try to access 5.5.5.5 then asa would send it to 192.168.1.1(lowest ip/ first ip in that pool). Then restrict your inbound traffic with the help of access-list
Therefore in both the cases you need to create an access-list on outside for 192.168.1.1 for https as Outside user would be able to access only 1.1
Hope that helps.
Regards,
Akshay Rastogi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide