06-19-2009 06:20 AM - edited 03-11-2019 08:45 AM
I have a web server on our inside network (10.15.20.20) that I'd like to have receive responses from a /29 block of external IP addresses within my outside interface's IP block. So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?
I can get it to work with a 1-to-1 Static NAT translated/redirected to 10.15.20.20. But I can't seem to get that /29 to translate to the inside address. I've tried Dynamic Policy NAT, Dynamic NAT, with access list config attempts, but it just doesn't want to take.
I'm hearing rumblings that it's not possible, to which I'd be surprised as this is possible on other vendor's firewalls.
I attached my config with clear examples of what might be a futile attempt :)
Any thoughts would be appreciated.
06-19-2009 11:50 AM
Robert
If i understand you correctly, have a look at this thread -
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB?cmd=pass_through&location=outline@^1@@.2cd2616a/6#selected_message
If i have misunderstood please let me know.
Jon
06-23-2009 02:00 AM
As you said "So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?"
you should translate your want any one who hits 222.222.222.176 to get translated to 10.15.20.20, if that is correct,
you need
ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20
06-23-2009 07:21 AM
svaish,
Thank you for your response. I tried doing that, but it won't let me give a netmask of 255.255.255.248 after my 222.222.222.176, which would fulfill my /29 external IP requirement.
By doing
ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20
Will only give me that one IP (.176) translated externally to the inside.
I needed all six IPs on the outside translated to one inside address.
I'll continue to plug away.
Cheers.
06-23-2009 07:17 AM
You understood correctly and thank you for the link. I had actually seen that thread earlier and from what it seems, I'm going to have to go that route.
I was trying to avoid having to create separate access lists for each as one of my requirements is going to be to have a complete /27 external IP to a single internal IP. That, from what I understand, is going to be 30 separate access lists. A bit tedious, but certainly doable.
Many thanks.
06-23-2009 10:26 PM
YOUR PUBLIC IP
222.222.222.176
222.222.222.177
222.222.222.178
222.222.222.179
222.222.222.180
222.222.222.181
222.222.222.182
YOUR inside server = 10.15.20.20
Configuration required
create six different access list like this
access-list a1 line 1 extended permit ip host 10.15.20.20 any
access-list a2 line 1 extended permit ip host 10.15.20.20 any
access-list a3 line 1 extended permit ip host 10.15.20.20 any
access-list a4 line 1 extended permit ip host 10.15.20.20 any
access-list a5 line 1 extended permit ip host 10.15.20.20 any
access-list a6 line 1 extended permit ip host 10.15.20.20 any
Apply Static command
static (Inside,outside) 222.222.222.176 access-list a1
static (Inside,outside) 222.222.222.177 access-list a2
static (Inside,outside) 222.222.222.178 access-list a3
static (Inside,outside) 222.222.222.179 access-list a4
static (Inside,outside) 222.222.222.180 access-list a5
static (Inside,outside) 222.222.222.181 access-list a6
May Help!
06-23-2009 12:46 PM
If your trying to do an Outside to Inside dynamic nat then yes this is possible.
You need to use the outside keyword at the end of your nat statement to tell the device its outside nat.
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]
outside-If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside to identify the NAT instance as outside NAT.
Check out the link below maybe of assistance.
http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/cfgnat.html
Hopefully I have understood you :)
HTH
Stu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide