Broadband connection with one static ip

khem thapa · ‎06-04-2013

Hello Everyone!!

I would like to seek your kind suggestion in mapping static ip address to the local ip address.

We have a bsnl broadband connection, and bsnl has provided us with one static ip address.

We are using broadband modem.

Now I would liket to map this static ip address to one of the private ip address which is 192.168.1.2(database server).

i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.

I would like to access this device over internet, by typing my public (Static ip ) given by the BSNL.

Kindly let me know how should i configure this modem.

security device i have is cisco ASA 5505.

Need suggestion.

thanks in advance

Jouni Forss · ‎06-04-2013

Hi,

I am afraid that if you are asking for guide to configuring your broadband modem then this is probably not the best section of the Cisco Support Community to do that.

Generall though it would be best if the modem you have was configured as Bridged device and the public IP address was configured on the ASA5505 directly on its "outside" interface. This saves you from a lot of trouble playing with possible NAT configurations on 2 devices.

On the ASA5505 you will basicly be configuring Static PAT and NOT Static NAT.

Static NAT would bind the public IP address to the use of only single internal host.

Static PAT on the other hand would bind certain TCP/UDP ports to some internal host.

So naturally we should first determine which ports you need to forward to the internal host and also what the software level of your ASA5505 is so we know which NAT configuration format to use (version number is shown with the command "show version" or in the main view of the ASDM)

NAT/ACL 8.2 (and older) Configuration format

static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any interface outside eq 80

access-group OUTSIDE-IN in interface outside

In the above configuration we first use the "static" command to configure the Static PAT. The configuration basicly states that we want to forward the TCP/80 port using the "outside" "interface" IP address to the local IP address of 192.168.1.2 and local port of TCP/80.

Finally we make an ACL that allows TCP/80 traffic from anywhere and we attach the ACL to the "outside" interface with "access-group" command. If there is an existing ACL attached to the "outside" interface then you would naturally use that.

NAT/ACL 8.3 (and newer) Configuration Format

object network SERVER-WWW

host 192.168.1.2

nat (inside,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object SERVER-WWW eq 80

access-group OUTSIDE-IN in interface outside

The above basicly does the same as the first example with the older ASA software. There are just noticiable changes in the NAT and ACL configuration formats.

Hope this helps

- Jouni

khem thapa · ‎06-04-2013

Thank for the reply, it was indeed helpful

one more thing, can i open more than 1 port for the same server (192.168.1.2) like 80 and 443.

thank u so much

Jouni Forss · ‎06-04-2013

Hi,

You can. The only limitation is that you CANT forward the same port twice with your single public IP address. For example you cant forward the public port 80 to 2 servers. In that case you would have to use 2 different public ports and then forward those to each servers port 80 for example.

In this case, for additional ports you just add another NAT configuration like above but with other port information. Remember to switch the "tcp" to "udp" in the above configurations also depending on your need.

Please remember to mark the reply as the correct answer if it answered your question and/or rate helpfull answers

Naturally ask more if you need help

- Jouni