Solved: ASA NAT - non interface IP

Nathan Farrar · ‎12-13-2016

ASA running 9.1 code. I have a block of IP addresses on the public side. On the inside I have a DMZ and private VLAN. I want to map a specific port to a server in the DMZ on a specific public IP address. This address is not the interface IP address facing the ISP, generally I would do something like:

object network obj_server

host 10.1.1.1

nat (dmz,outside) static interface service tcp www www

This would map the specific port I want but would only allow me to use the address mapped to the outside interface. The only other way I can map a non-interface IP, that I know of, is:

object network obj_server

host 10.1.1.1

nat (dmz,outside) static <outside IP>

This will give me all or none. I could lock it down to one port of course, but I want to be able to use the same non-interface IP for different NAT/PAT to different servers. I would like that non-interface IP to send 443 to one server and then send 80 to a different server.

Thoughts?

MANI .P · ‎12-13-2016

I hope this will help you ...

--------------------------------------------------------------------------

object network 443_server
192.168.10.10
nat (dmz_int , Out_int) static 100.0.0.3 service tcp 443 443

object network 80_server
192.168.10.11
nat (dmz_int , Out_int) static 100.0.0.3 service tcp 80 80

------------------------------------------------------------------------------

Access-list out_to_dmz extended permit tcp any object 443_server eq 443

Access-list out_to_dmz extended permit tcp any object 80_server eq 443

Access-group out_to_dmz in interface Dmz_int

---------------------------------------------------

Please rate me if this help you .

Thanks

Mani.

View solution in original post

MANI .P · ‎12-13-2016

Hi ,

Try this !!!!

Object network webserv_ip_insid

Host 192.168.10.10

Nat (Dmz_int,Out_int) dynamic interface service tcp 443 443

Access-list out_to_dmz extended permit tcp any object webserv_ip_insid eq 443

Access-group out_to_dmz in interface Dmz_int

Hope this will help ....

Nathan Farrar · ‎12-13-2016

Thanks for the reply but I don't see how this would allow me to use a non-interface address. The NAT command you have specifies that the NAT is done on the interface address.

Imagine that I have 100.0.0.0/28 as a block of addresses,and my outside interface is using 100.0.0.2. I want to use 100.0.0.3 port 443 to point to one internal server but then have 80 point to another. I don't want to use 100.0.0.2 which is mapped to the outside interface.

MANI .P · ‎12-13-2016

I hope this will help you ...

--------------------------------------------------------------------------

object network 443_server
192.168.10.10
nat (dmz_int , Out_int) static 100.0.0.3 service tcp 443 443

object network 80_server
192.168.10.11
nat (dmz_int , Out_int) static 100.0.0.3 service tcp 80 80

------------------------------------------------------------------------------

Access-list out_to_dmz extended permit tcp any object 443_server eq 443

Access-list out_to_dmz extended permit tcp any object 80_server eq 443

Access-group out_to_dmz in interface Dmz_int

---------------------------------------------------

Please rate me if this help you .

Thanks

Mani.