Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
4
Replies

ASA 9.x Nat Question

Go to solution
mvsheik123
Level 7
Level 7

‎11-03-2015 04:48 AM - edited ‎03-11-2019 11:49 PM

Hello experts,

One question on ASA 9.x (or post 8.2) Nat-

Scenario: 2 internal hosts PAT'd one public IP (not interface IP). Users from internet able to reach one of the hosts on 'https'. What is recomended config? 

Object network TEST

 subnet 192.168.1.0 255.255.255.252  --> .1 and .2 are internal hosts.

 nat(DMZ,OUTSIDE) dynamic 5.5.5.5  --->public ip from pool of assigned IPs.

!

Can I create ACL with 'https' access pointing to 192.168.1.1 or I need to create seperate objects for both hosts and add nat statements with public IP and then create ACL for required object?

Thanks in advance

MS  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to mvsheik123

‎11-03-2015 10:21 PM

Hi there,

In addition to what shiva has mentioned, You could have two ways to implement your requirement :

1st :

object net obj-192.168.1.1-2

 range 192.168.1.1 192.168.1.2

 nat(dmz,outside) dynamic 5.5.5.5

object net ob-192.168.1.1

 host 192.168.1.1

 nat (dmz,outside) static 5.5.5.5 service tcp 443 443

With this you would be able to go out to internet with dynamic nat for both the IP. However for 5.5.5.5 on port 443 from ouside, asa would redirect to 192.168.1.1 to inside.

2nd :

object net obj-192.168.1.1-2

 range 192.168.1.1 192.168.1.2

 nat (dmz,outside) static 5.5.5.5

In this scenario(many to one) your both the internal IP would be able to go with single IP 5.5.5.5 while the for outside world, if they try to access 5.5.5.5 then asa would send  it to 192.168.1.1(lowest ip/ first ip in that pool). Then restrict your inbound traffic with the help of access-list

Therefore  in both the cases you need to create an access-list on outside for 192.168.1.1 for https as Outside user would be able to access only 1.1

Hope that helps.

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Shivapramod M
Level 1
Level 1

‎11-03-2015 05:52 AM

Hi,

As per my understanding you are trying to create a NAT so that the users from the outside can access the internal servers. Please correct me if my understanding about the issue is wrong.

If this is the case then you can configure the static NAT, which is a bidirectional NAT. You have to configure the ACL permitting the real IP address.

object network obj-192.168.1.1
   host 192.168.1.1
   nat (DMZ,outside) static 5.5.5.5

object network obj-192.168.1.2
   host 192.168.1.2
   nat (DMZ,outside) static 5.5.5.6

In the above configuration we use two outside IP but we can do the translation based on the destination port or the mapped port using a single IP also.

For more information about the NAT you can refer the below documennt which explains different ways to conifgure the NAT on ASA.

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Thanks,

Shivapramod M

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to Shivapramod M

‎11-03-2015 07:07 PM

Hi Shivapramod.

Thanks for the reply. But in my scenario, only one public IP (ex: 5.5.5.5 to be used by .1 and .2). In addtion to that .1 needs to be access from outside world (https://xyz: 5.5.5.5 ->internally .1).

Thx

MS

0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1
In response to mvsheik123

‎11-03-2015 09:58 PM

Hi,

You can configure a static NAT rule with the port.

object network obj-192.168.1.1
host 192.168.1.1
nat (DMZ, outside) static 5.5.5.5 service tcp https https

So if the traffic comes to the ASA on port 443 then it will translate to the internal IP and it will keep the same destination port.

What is the requirement for 192.168.1.2? Are you trying to access this from internet? 

Thanks,

Shivapramod M

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to mvsheik123

‎11-03-2015 10:21 PM

Hi there,

In addition to what shiva has mentioned, You could have two ways to implement your requirement :

1st :

object net obj-192.168.1.1-2

 range 192.168.1.1 192.168.1.2

 nat(dmz,outside) dynamic 5.5.5.5

object net ob-192.168.1.1

 host 192.168.1.1

 nat (dmz,outside) static 5.5.5.5 service tcp 443 443

With this you would be able to go out to internet with dynamic nat for both the IP. However for 5.5.5.5 on port 443 from ouside, asa would redirect to 192.168.1.1 to inside.

2nd :

object net obj-192.168.1.1-2

 range 192.168.1.1 192.168.1.2

 nat (dmz,outside) static 5.5.5.5

In this scenario(many to one) your both the internal IP would be able to go with single IP 5.5.5.5 while the for outside world, if they try to access 5.5.5.5 then asa would send  it to 192.168.1.1(lowest ip/ first ip in that pool). Then restrict your inbound traffic with the help of access-list

Therefore  in both the cases you need to create an access-list on outside for 192.168.1.1 for https as Outside user would be able to access only 1.1

Hope that helps.

Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card