Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
1
Replies

How to configure inbound ruleset in dynamic nat.

Chin
Level 1
Level 1

‎06-26-2013 08:46 PM - edited ‎03-11-2019 07:03 PM

Hi ,

I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.

How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.

Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it. 

Public IP: 10.10.10.28

Private IPs:

172.16.101.115

172.16.101.116

172.16.101.117

172.16.101.118

172.16.101.119

172.16.101.120

access-list Web_nat permit ip host 172.16.101.115 any

access-list Web_nat permit ip host 172.16.101.116 any

access-list Web_nat permit ip host 172.16.101.117 any

access-list Web_nat permit ip host 172.16.101.118 any

access-list Web_nat permit ip host 172.16.101.119 any

access-list Web_nat permit ip host 172.16.101.120 any

nat (firewall-dmz) 1 access-list Web_nat

global (firewall-outbound) 1 10.10.10.28

access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.

access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.

Labels:
Preview file
105 KB
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎06-26-2013 11:10 PM

Hi,

I am not sure what you are attempting to configure here.

But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"

This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.

Static NAT will essentially use up one public IP address for just the single local host/server.

Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.

A typical Static NAT configuration is this

static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255

Where

  • inside = is the interface behind which the host is
  • outside = is the interface towards which the host is NATed
  • 1.1.1.1 = is the public NAT IP address for the host
  • 10.10.10.10 = is the local IP address of the host

A typical Static PAT configuration is this

static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255

Where

  • tcp = specifies the protocol for which the Static PAT configured
  • interface = specifies that we will be using the public IP address of the destination interface "outside" as the public IP address for this single Port Forward.
  • 80 = first "80" specifies the public port visible to users behind the destination interface
  • 80 = second "80" specifies the actual local port on which the local host is listening on

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card