Solved: ASA version 8.6 NAT+PAT

alan-wong · ‎10-16-2013

Dear. I am using ASA 8.6. I would like to know if I want to public IP 1.1.1.1 redirect to internal server 192.168.1.1 only for both port 80 and 443. Is below is the correct command I need to place to ASA? Please advise

object-group service internet-port tcp
port-object eq www
port-object eq https

object network test-server
host 192.168.1.1

object network test-server
nat (inside,outside) static 1.1.1.1 object-group internet-port

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

access-list 100 extended permit object-group TCPUDP any object test-server object-group internet-port

access-group 100 in interface outside

Jouni Forss · ‎10-16-2013

Hi,

I dont think you can use the configuration you mentioned

You would have to create 2 separate Static PAT (Port Forward) configurations

object network STATIC-PAT-TCP80

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 80 80

object network STATIC-PAT-TCP443

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 443 443

I would also suggest an ACL name that refers to the actualy interface

access-list OUTSIDE-IN remark Allow HTTP and HTTPS

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP443 eq 443

access-group OUTSIDE-IN in interface outside

Its not quite clear if you have a free public IP address for this server or you would use the current "outside" interface IP address. If you have a free public IP address you could just configure static NAT

object network STATIC-NAT

host 192.168.1.1

nat (inside,outside) static 1.1.1.1

access-list OUTSIDE-IN remark Allow HTTP and HTTPS

access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 443

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎10-16-2013

Hi,

I dont think you can use the configuration you mentioned

You would have to create 2 separate Static PAT (Port Forward) configurations

object network STATIC-PAT-TCP80

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 80 80

object network STATIC-PAT-TCP443

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 443 443

I would also suggest an ACL name that refers to the actualy interface

access-list OUTSIDE-IN remark Allow HTTP and HTTPS

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP443 eq 443

access-group OUTSIDE-IN in interface outside

Its not quite clear if you have a free public IP address for this server or you would use the current "outside" interface IP address. If you have a free public IP address you could just configure static NAT

object network STATIC-NAT

host 192.168.1.1

nat (inside,outside) static 1.1.1.1

access-list OUTSIDE-IN remark Allow HTTP and HTTPS

access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 443

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

abhisar patil · ‎01-15-2014

Dear Jouni,

As per your suggested configuration,

object network STATIC-PAT-TCP80

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 80 80

object network STATIC-PAT-TCP443

host 192.168.1.1

nat (inside,outside) static 1.1.1.1 service tcp 443 443

I did the same but when I do show run, I am able to see only one nat for 443 not for port 80. Can you please confirm whether it is right. Also, I saw somewhere following config which I did, but it is not working as well. Please suggest.

Public IP - 1.1.1.1

Private IP1 - 192.168.1.10 Port http

Private IP1 - 192.168.1.20 Port SMTP

Configuration -

***********************************************

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.10

host 192.168.1.10

object network obj-1.1.1.1

host 1.1.1.1

object service HTTP

service tcp source eq http

object service SMTP

service tcp source eq SMTP

***********************************************

nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP

nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP

***********************************************

acces-list outside extended permit tcp any host 192.168.1.10 eq http

***********************************************

Thank You,

Abhisar.