The AD server is on the inside, they are external addresses 2 other servers are on the outside

You would need the following configuration:

Lets assume that the public ip of the server is 1.1.1.1

object network AD_Server

  host 10.12.1.56

object service ldap_380

  service tcp destination eq 380

object service ldap_389

  service tcp destination eq 389

object network Public_206.123.45.122

   host 206.123.45.122

object network Public_174.87.96.143

   host 174.87.96.143

object network Public_AD_server

  host 1.1.1.1

nat (outside,inside) source static Public_206.123.45.122 Public_206.123.45.122 destination static Public_AD_server AD_Server service ldap_389 ldap_389

nat (outside,inside) source static Public_174.87.96.143 Public_174.87.96.143 destination static  Public_AD_server

AD_Server service ldap_380  ldap_380

access-list is good, so no changes with it.

Hope this helps.

Thanks,

Varun

Varun

Thanks for that, However I dont understand why this has been added

object_service ldap 380 ?????  I was only looking at 389

also Why do I need a public ad server (1.1.1.1)  I already have the 2 external addresses and the ad aserver address of 10.12.1.56

thanks

Hi James,

May be I didnt understand your requirement completely, kidnly let me know if this is your requirement:

you have an AD server on  the inside interface - 10.12.1.56

The AD server should be accessed on port 380 and 389.

The AD server would be accessed by external servers 206.123.45.122 and 174.87.96.143 on the above ports.

I thought of this because of the access-list that you have mentioned:

access-list outside permit tcp host 206.123.45.122 host 10.12.1.56 eq 389

access-list outside permit tcp host 174.87.96.143 host 10.12.1.56 eq 380

kindly let me know if this was not your requirement, i'll give you the correct config.

Thanks,

Varun

Hi Varun

Sorry ive just realised Ive messed up

I want to statically NAT 10.12.1.56 to the external address 194.57.54.129

Would I then need to change the access list changing  the address 10.12.1.56 to 194.57.54.129

AD server should be accessed on port 389 that 380 is a type error

Hi James,

This makes it a bit clear for me, wehat you would need is :

object network AD_Server

  host 10.12.1.56

object service ldap_380

  service tcp destination eq 380

object network Public_AD

  host 194.57.54.129

nat (oustide,inside) source static any any destination static Public_AD AD_Server service ldap_380 ldap_380

This statement means all the users on the internet woudl access your AD server on it public ip on port 380.

and the access-list would be:

access-list outside permit tcp any host 10.12.1.56 eq 380

In ASA 8.3, you would need to use the real ip of the server in the ACL instead of the Public IP, moreover you would need to create an object for the service as well. The syntax has changed in ASA 8.3

Hope this helps,

Thanks,

Varun

The 194.57.54.129 is a public address taken from our range which is needing to be used to statically nat to 10.12.1.56

so I need the statement to marry those 2 together.

I hope I have been clear on that, and IO havnt confused you lol

Yup, the commands that I have given you does the same thing. They are married off together, for outside world your AD server is 194.57.54.129 but for firewall it is 10.12.1.56. So the statements are correct.

Thanks,

Varun

Thanks Varun

I did

object network obj-10.1.12.56-ldap

host 10.1.12.56

object network obj-10.1.12.56-ldap

nat (inside,outside) static interface service tcp ldap ldap

access-list outside permit tcp any host 10.1.12.56 eq 389

No Problem you can try it and let me know how it goes??

Thanks,

Varun

Yup thats also good, both the statements work fine. THe only thing is I used manual Nat and you did it with Auto Nat. The only reason I prefer it because when the ASA searches for the nat statement, the manual Nat is hit first. Otherwise you can use any, with no issues.

Thanks,

Varun