05-28-2015 12:20 AM - edited 03-11-2019 11:00 PM
Hello Friends,
We have configured multiple Public IP on On the ASA but there are no multiple addresses on an interface. But my scenario is solved with NAT.
For each node/port-combination you configure an object and define the NAT-settings (which are a port-forwarding), so my question is I want to allow ICMP
on XX.XX.XX.32, XX.XX.XX.33, XX.XX.XX.34, XX.XX.XX.35
Please suggest how to do it
interface Vlan1
nameif outside
security-level 0
ip address XX.XX.XX.31 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group COLODNS
name-server 127.0.0.1
name-server 8.8.8.8
name-server 192.168.1.1
name-server 206.183.111.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
access-list inside_access extended permit ip any any
access-list inside_access extended deny ip any any inactive
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.32 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.33 www 192.168.1.5 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 www 192.168.1.5 7070 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.32 8983 192.168.1.5 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 9983 192.168.1.5 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 10222 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.36 www 192.168.1.2 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 85 192.168.1.2 85 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 10389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8080 192.168.1.3 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 10222 192.168.1.3 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 9983 192.168.1.3 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8983 192.168.1.3 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.38 www 192.168.1.3 7070 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.1 1
05-28-2015 02:59 AM
Hi,
You would not be able to allow ICMP traffic using the Port Forward NAT statements.
You need a static one to One nat for it to work.
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide