06-26-2013 08:46 PM - edited 03-11-2019 07:03 PM
Hi ,
I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.
How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.
Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it.
Public IP: 10.10.10.28
Private IPs:
172.16.101.115
172.16.101.116
172.16.101.117
172.16.101.118
172.16.101.119
172.16.101.120
access-list Web_nat permit ip host 172.16.101.115 any
access-list Web_nat permit ip host 172.16.101.116 any
access-list Web_nat permit ip host 172.16.101.117 any
access-list Web_nat permit ip host 172.16.101.118 any
access-list Web_nat permit ip host 172.16.101.119 any
access-list Web_nat permit ip host 172.16.101.120 any
nat (firewall-dmz) 1 access-list Web_nat
global (firewall-outbound) 1 10.10.10.28
access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.
access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.
06-26-2013 11:10 PM
Hi,
I am not sure what you are attempting to configure here.
But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"
This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.
Static NAT will essentially use up one public IP address for just the single local host/server.
Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.
A typical Static NAT configuration is this
static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
Where
A typical Static PAT configuration is this
static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
Where
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide