cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
5
Replies

Best practice for Global Address?

tcurrence
Beginner
Beginner

Good Morning,

I am new to Cisco firewalls and would like to know what is the best practice for creating an external ip address and port into my network and then redirecting that to a specific machine.  I am thinking of using a global ip address and then only allowing this type of traffic to talk to the specific destnation and on that specific port.  Is this the correct course of action?  Or os there a better or more effecient way of allowing this process using ADSM.

Troy

Message was edited by: Troy Currence

5 REPLIES 5

Jouni Forss
Mentor
Mentor

Hi,

Basically when you are attempting to allow traffic from the external public network to some of your servers/hosts you will either use Static NAT or Static PAT

Static NAT is when you bind a single public IP address to be used by only one internal host. This is usually the preferred option if you can spare a single public IP address for your server, meaning you probably have a small public subnet from your ISP.

Static PAT is when you only allocate certain ports on your public IP address and map them to a local port on the host. This is usually the option when you only have a single public IP address that is configured on your ASAs external interface. Or perhaps in a situation when you just want to conserver your public IP addresses even though you might have a few of them.

In Static NAT case you configure the Static NAT and use the interface ACL to allow the services you require.

In Static PAT you only create a translation for a specific port/service so only connections to that port are possible. Naturally you will also have to allow those services/ports in the interface ACL just like with Static NAT.

Again if you can spare the public IP addresses then I would go with Static NAT or if you only have a single or few IP addresses you can consider Static PAT (Port Forward) also.

I dont personally use ASDM for configurations but can help you with the required CLI format configurations. These can actually be done through ASDM also from the Tools -> Command Line Interface menus at the top.

Hope this helps

- Jouni

johnlloyd_13
Engager
Engager

Hi,

It depends on which IOS you're running. What's your 'show version'?

Sent from Cisco Technical Support iPad App

tcurrence
Beginner
Beginner

Thanks for the information Jouni anf John. You can tell I am a newbie...

My version is 8.0(3) PIX and ASDM is 6.1 (5)

Hi,

How many public IP addresses do you have at your disposal? Do you only have the one configured on the external interface of the firewall or do you have a small subnet?

If you only have the public IP address configured on the external interface, then you probably need to use Static PAT

Its basic configuration format is

static (inside,outside) tcp interface netmask 255.255.255.255

This would have to be done for each port you need forwarded with Static PAT. The above example is for "tcp", it might as well be "udp"

The above example has the interfaces "inside" and "outside" as they are the most typical ones used. If the interfaces are named differently on your case then you would need to enter the interface interfaces name instead of "inside" and the external interfaces name instead of "outside".

Naturally if you can provide a requirements on what you need to configure then it will be easier to help you.

You can for example get the complete firewall configuration by doing the following

  • Go to the ASDM
  • Go to Tools -menu
  • Go to Command Line Interface
  • Enter the command "show run" and send the command to the device. This should provide the current configuration in the ASDM window you entered the above command.

Naturally dont share any public IP address information in the actual post or any other sensitive information.

- Jouni

hi,

if you're not comfy with CLI, you can navigate in ASDM: Configuration > NAT Rules > Add Static NAT Rules

choose the appropriate ingress and egress interface from the drop-down list and input the local and global IP addresses. click apply and send when finished.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: