Solved: ASA inbound static nat

suthomas1 · ‎06-18-2013

Hi,

We have following static port forwarding on our router;

ip nat inside source static tcp 192.168.100.35 80 210.18.171.21 80 extendable

ip nat inside source static tcp 192.168.100.35 25 210.18.171.21 25 extendable

We want to configure this same settings on our new ASA running ver 9.0.2.

Appreciate all help to do this.

Jouni Forss · ‎06-18-2013

Hi,

Seems like a basic Static PAT configuration.

Is the IP address 210.18.171.21 configured on the ASA "outside" interface or is it just a public IP address from some subnet allocated to you by the ISP?

Well here is example configuration of both

The below presumes

You have interfaces named "outside" and "inside" between which this Static PAT is configured. Replace names if needed
You dont have any ACL attached to the "outside" interface yet. If you have then replace the name of the ACL below and insert them to your existing interface ACL. In that case also DONT USE the "access-group" command or it will replace your current "access-list" on the interface.

INTERFACE IP ADDRESS USED FOR STATIC PAT

object network STATIC-PAT-WWW

host 192.168.100.35

nat (inside,outside) static interface service tcp 80 80

object network STATIC-PAT-SMTP

host 192.168.100.35

nat (inside,outside) static interface service tcp 25 25

access-list OUTSIDE-IN remark Allow WWW and SMTP

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP

access-group OUTSIDE-IN in interface outside

SEPARATE IP ADDRESS USED FOR STATIC PAT

object network STATIC-PAT-WWW

host 192.168.100.35

nat (inside,outside) static 210.18.171.21 service tcp 80 80

object network STATIC-PAT-SMTP

host 192.168.100.35

nat (inside,outside) static 210.18.171.21 service tcp 25 25

access-list OUTSIDE-IN remark Allow WWW and SMTP

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

-. Jouni

View solution in original post

Jouni Forss · ‎06-18-2013

Hi,

Seems like a basic Static PAT configuration.

Is the IP address 210.18.171.21 configured on the ASA "outside" interface or is it just a public IP address from some subnet allocated to you by the ISP?

Well here is example configuration of both

The below presumes

You have interfaces named "outside" and "inside" between which this Static PAT is configured. Replace names if needed
You dont have any ACL attached to the "outside" interface yet. If you have then replace the name of the ACL below and insert them to your existing interface ACL. In that case also DONT USE the "access-group" command or it will replace your current "access-list" on the interface.

INTERFACE IP ADDRESS USED FOR STATIC PAT

object network STATIC-PAT-WWW

host 192.168.100.35

nat (inside,outside) static interface service tcp 80 80

object network STATIC-PAT-SMTP

host 192.168.100.35

nat (inside,outside) static interface service tcp 25 25

access-list OUTSIDE-IN remark Allow WWW and SMTP

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP

access-group OUTSIDE-IN in interface outside

SEPARATE IP ADDRESS USED FOR STATIC PAT

object network STATIC-PAT-WWW

host 192.168.100.35

nat (inside,outside) static 210.18.171.21 service tcp 80 80

object network STATIC-PAT-SMTP

host 192.168.100.35

nat (inside,outside) static 210.18.171.21 service tcp 25 25

access-list OUTSIDE-IN remark Allow WWW and SMTP

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

-. Jouni

suthomas1 · ‎06-18-2013

Thanks Jouni.

These lines below, one of them has destination port specified as eq www, but the second line for smtp traffic doesn't have eq smtp portion. Is it not required?

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP

Jouni Forss · ‎06-18-2013

Ah sorry, my mistake.

Typing to fast and managed to completely leave one part out.

The "access-list" line requires the "eq smtp" or "eq 25" at the end

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP eq smtp

- Jouni