Solved: Thanks for the reply Marius,

Carlomd · ‎04-25-2014

Hello,

We have a new time clock service and have a few users that need to be able to remotely clock in to this service, the site's security system need to be able to see a publicly accessible ip, but I have limited public ip's left and I won't be able to nat them all 1 to 1, so is there a way to make this happen on the ASA, have multiple internal hosts nat'd or mapped to a single external ip. Any ideas or pointers would be great.

thanks,

Carlo

Marius Gunnerud · ‎04-29-2014

You could do something like the following:

object service PORT
service udp destination eq ntp

object-group network SERVERS
network-object host 1.1.1.2
network-object host 1.1.1.3
network-object host 1.1.1.4
network-object host 1.1.1.5

nat (inside,outside) source static SERVERS interface service PORT PORT

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

joseoroz · ‎04-25-2014

Hello Carlo,

This sounds like you need a port forwarding. If your clock works with port 123/UDP you can create a NAT rule to NAT that port to a Public IP even if the IP has been used on another static translation (This applies to 1 to 1 translations).

As you know this is going to overlap however its possible and the firewall can map that single PORT from the public IP to the private IP of the server.

This file has examples of NAT on code pre 8.3 and post:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

This is an example how the configuration will look on code 8.2

static (inside,outside) A.A.A.A X.X.X.X netmask 255.255.255.255

static (inside,outside) udp A.A.A.A 123 B.B.B.B 123 netmask 255.255.255.255

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html

Hope you find this information helpful.

Carlomd · ‎04-25-2014

I don't know what the port is, we login through the web, and looks like the site controls the access, cause when I logged in from a internal ip that's not nat'd to an outside it failed to login.

Carlomd · ‎04-28-2014

Hi Jose, do you have any sample code or docs for v9.1, looks like the site is port 80 but then it goes to https for the login to the time clock system. I need to get a few clients to be able to nat to a single ip externally so they can clock in to this site. Any pointers would be great

lanbrown · ‎04-25-2014

Yes, you can NAT all of the users behind a single IP or even use the interface IP of the egress interface. What version of code are you running on your ASA? The newer versions of code allows you to use a pool which doesn't require each host to have a unique external IP.

Carlomd · ‎04-25-2014

Thanks for the reply, I'm on v9.1

Marius Gunnerud · ‎04-29-2014