cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
10
Helpful
3
Replies

Cisco ASA public servers vs object NAT

keithcclark71
Level 3
Level 3

Hey all on ASA there is public servers option for like http server access to internal network  to web server. I don't quite understand how it's different than doing an object NAT for the webserver host and then adding the out-In ACE for it? 

Side question

Dies firepower management center have same option for public server or is it depreciated?

 

 

 

2 Accepted Solutions

Accepted Solutions

public server and Object NAT do the same thing. only two different configuration method. FMC supports NAT configurations.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

Keithcclark71 If i understand you correctly. NAT is normally used in ASA for inside/dmz to outside work in order for clients(Internet-user/s) to access your internal server resources. Once the NAT rule is defined you also need a access-group and access-list on the interface where the traffic ingress.

For example,

Object Network Server-Private-IP
   host 192.168.1.10
!
Object Network Server-Public-IP
 host 208.112.85.10
!
nat (DMZ,Outside) source static Network Server-Private-IP Network Server-Public-IP

In above example we doing NAT based as IP address. but if you want to filter it on TCP/UDP you can also do that (I am skipping the TCP/UDP nat rule here).

 

remember the static NAT is a bidirectional NAT. which mean the initiator side can be either from outside or inside. in order for the above NAT statement to work  we need a access-list rule. The ASA code use a concept of security-levels between 0 to 100. between 1 to 99 is classified is DMZ zone and with 100 classified as Inside and with 0 classified as outside. the flow of traffic from number 100 to 0 does not need any access-rules. but from 0 to 100 or from 99-1 going to 100 does need access-rule. therefore in above example we assume Public-IP-Server reside on outside (secuirty-level 0) there for we need access-group than need access-list.

access-group Outside-in in interface Outside

the above statement is self explain. it using saying on Outside interface ingress (as in) where as Outside-in is giving a name for us to understand it (so Outside-in can be called any name you want but good practice is keep it simple and give it a name the name you give to your security-level)

 

now once the access-group is define its time to define access-list

access-list Outside-in extended permit tcp any host 192.168.1.10 eq 443

here you saying let in the traffic (from the outside interface perspective) to communicate with only Internal server with port 443.

 

 

 

In regards to Firepower (FMC) these above rule are supported if you using the FTD appliances. however if using the ASA code with firepower sensor you can put the extra layers of security (IPS Inspection/deep packet inspection).

Note. The concept of security-level does not exist in FTD.

 

Here FTD Nat how to do it

Here very good document on NAT if you ever stuck or want to have a clear understanding. NAT in ASA and FTD work in same way.

 

 

please do not forget to rate.

View solution in original post

3 Replies 3

public server and Object NAT do the same thing. only two different configuration method. FMC supports NAT configurations.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Keithcclark71 If i understand you correctly. NAT is normally used in ASA for inside/dmz to outside work in order for clients(Internet-user/s) to access your internal server resources. Once the NAT rule is defined you also need a access-group and access-list on the interface where the traffic ingress.

For example,

Object Network Server-Private-IP
   host 192.168.1.10
!
Object Network Server-Public-IP
 host 208.112.85.10
!
nat (DMZ,Outside) source static Network Server-Private-IP Network Server-Public-IP

In above example we doing NAT based as IP address. but if you want to filter it on TCP/UDP you can also do that (I am skipping the TCP/UDP nat rule here).

 

remember the static NAT is a bidirectional NAT. which mean the initiator side can be either from outside or inside. in order for the above NAT statement to work  we need a access-list rule. The ASA code use a concept of security-levels between 0 to 100. between 1 to 99 is classified is DMZ zone and with 100 classified as Inside and with 0 classified as outside. the flow of traffic from number 100 to 0 does not need any access-rules. but from 0 to 100 or from 99-1 going to 100 does need access-rule. therefore in above example we assume Public-IP-Server reside on outside (secuirty-level 0) there for we need access-group than need access-list.

access-group Outside-in in interface Outside

the above statement is self explain. it using saying on Outside interface ingress (as in) where as Outside-in is giving a name for us to understand it (so Outside-in can be called any name you want but good practice is keep it simple and give it a name the name you give to your security-level)

 

now once the access-group is define its time to define access-list

access-list Outside-in extended permit tcp any host 192.168.1.10 eq 443

here you saying let in the traffic (from the outside interface perspective) to communicate with only Internal server with port 443.

 

 

 

In regards to Firepower (FMC) these above rule are supported if you using the FTD appliances. however if using the ASA code with firepower sensor you can put the extra layers of security (IPS Inspection/deep packet inspection).

Note. The concept of security-level does not exist in FTD.

 

Here FTD Nat how to do it

Here very good document on NAT if you ever stuck or want to have a clear understanding. NAT in ASA and FTD work in same way.

 

 

please do not forget to rate.

Very cool Sheraz thanks for the info !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: