02-14-2011 02:50 PM - edited 03-11-2019 12:50 PM
Can someone please tell me how to open a port on the ASA 5520 Version 8.31?
Private IP Address - 10.1.1.5 255.255.255.0
Public Ip Address 1.1.1.2
TCP Port 25
Any help will be much appreciated
Thanks
Lake
Solved! Go to Solution.
02-14-2011 06:08 PM
Object-group is only used to group object together. For the static NAT entry, you still need to configure object NAT individually.
For the access-list, you can create object-group with all the real ip in the object-group and match it in the access-list with the object-group.
Example:
object-group network servers
network-object host 10.1.1.5
network-object host 10.1.1.8
network-object host 10.1.1.67
access-list
There are 2 types of object now in version 8.3 if you get confused with the older version:
1) object-group: which is still the same as the previous version, ie: grouping all the object together
2) object: which is the new NAT (object NAT)
Here is the object NAT command reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544
02-14-2011 03:08 PM
Do you mean how to create the NAT port address redirection OR/ how to create the access-list that you applied to the outside interface OR/ both?
Also, do you want to create static 1:1 NAT and 1.1.1.2 is the spare public IP, or you want to configure static PAT and 1.1.1.2 is the spare IP, or 1.1.1.2 is actually the outside interface ip address?
Sorry for all the questions as config is different depending on what it is.
02-14-2011 03:14 PM
I just need to create a static one to one nat and open a port. I am not sure what you mean by spare ip?
Thanks
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 03:32 PM
OK, assuming that 1.1.1.2 is not the ASA outside interface ip address and is just another unique IP that you can use, ie: has not been assigned to anything else, then here is the config:
object network obj-10.1.1.5
host 10.1.1.5
nat (inside,outside) static 1.1.1.2
If you already have access-list applied to the outside interface, you just need to add the following to your existing access-list:
access-list
02-14-2011 03:51 PM
Do I still have to create an access group?
Thanks
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 03:56 PM
If you already have access-list applied to the outside interface, then no, you don't need access-group. Just make sure you use the same access-list name.
But if you haven't had one applied to the outside interface through the access-group command, then yes, you will have to apply it.
"sh run access-group" will show you whether or not it has been applied.
02-14-2011 04:24 PM
I assume the access list has not changed?
Thanks
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 04:37 PM
Assuming what you mean by different compared to the previous version of ASA, then the answer is yes, it has slightly changed.
With the previous version, you will match it against the translated/NATed IP when you apply it on the outside interface, but from version 8.3 onwards, you will need to match it against the real IP or the objectID.
02-14-2011 04:48 PM
Can you please give me an example?
Thanks
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 04:53 PM
From your example,server real IP: 10.1.1.5, translated IP: 1.1.1.2
On the earlier version, your access-list applied to the outside interface will say:
access-list
On version 8.3 and onwards, your access-list will say:
access-list
OR/ alternatively, with the NAT object that we created earlier, it can say:
access-list
02-14-2011 04:56 PM
Thank you very much
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 04:57 PM
No problem. Please kindly mark the post as answered if you have no further question. Thank you.
02-14-2011 05:12 PM
Will do
Regards,
Lake Harrypersaud
Future 2000 Systems Inc.
905.405.8844
Sent from my BlackBerry device on the Rogers Wireless Network
02-14-2011 05:59 PM
I am sorry i have one more question. In this scenerio
we created an object group but how can we use this same example to create a static mapping and then create an access list instead of an object group?
Thanks,
Lake
02-14-2011 06:08 PM
Object-group is only used to group object together. For the static NAT entry, you still need to configure object NAT individually.
For the access-list, you can create object-group with all the real ip in the object-group and match it in the access-list with the object-group.
Example:
object-group network servers
network-object host 10.1.1.5
network-object host 10.1.1.8
network-object host 10.1.1.67
access-list
There are 2 types of object now in version 8.3 if you get confused with the older version:
1) object-group: which is still the same as the previous version, ie: grouping all the object together
2) object: which is the new NAT (object NAT)
Here is the object NAT command reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide