Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
5
Helpful
3
Replies

ASA Outside Interface PAT

Go to solution
rohan.das
Level 1
Level 1

‎08-05-2017 04:05 AM - edited ‎03-12-2019 02:46 AM

I have a query regarding a deployment scenario.

Can i map my internal web server from inside zone to outside interface ip address in such a way that global users will hit the public ip of firewall x.x.x.x:abcd and pat will translate it to private ip y.y.y.y:cdef . ??? will it work ??

If it works please explain the procedure.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-05-2017 04:23 AM

Yes you can do this. 

The procedure varies depending on which version of software you are running but assuming you are running 8.3 or later - 

object network webserver <-- use any name you like 
host <private IP>
nat (inside,outside) static interface service tcp cdef abcd

then you need to allow access in your acl applied to the outside interface eg. 

access-list <acl name> permit tcp any <private IP> cdef

if you already have an acl applied to the outside interface add the above line to it, if you don't then you need this additional command - 

access-group <acl name> in interface outside

that should do it. 

Jon

View solution in original post

3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-05-2017 04:23 AM

Yes you can do this. 

The procedure varies depending on which version of software you are running but assuming you are running 8.3 or later - 

object network webserver <-- use any name you like 
host <private IP>
nat (inside,outside) static interface service tcp cdef abcd

then you need to allow access in your acl applied to the outside interface eg. 

access-list <acl name> permit tcp any <private IP> cdef

if you already have an acl applied to the outside interface add the above line to it, if you don't then you need this additional command - 

access-group <acl name> in interface outside

that should do it. 

Jon

Go to solution
rohan.das
Level 1
Level 1
In response to Jon Marshall

‎08-05-2017 04:44 AM

My ASA version 9.6

and  i tried

nat (inside,outside) source static <realsource-object> interface service <cdef-service-obj> <abcd-service-obj>

am using any any acl at this moment.

but it did not work ..

any suggestion please

0 Helpful

Go to solution
rohan.das
Level 1
Level 1
In response to rohan.das

‎08-10-2017 12:29 AM

It worked .. I was making a mistake with my nat policy order...Thanks Jon.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card