Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1196
Views
5
Helpful
4
Replies

NAT for Beginners Question

Go to solution
John Rener
Level 1
Level 1

‎11-16-2017 09:35 AM - edited ‎02-21-2020 06:46 AM

Hello All,

 

I am very new in using the CISCO ASA. I've watched tons of videos already but my brain freezes for some reason. I bought this firewall and can't configured it properly, can someone help me please. I am trying to learn how to allow any host to communicate.


Example my public IP is 200.100.25.20 and my private IP is 10.17.1.10

 

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
static (inside,outside) 10.17.1.10 10.17.1.10 netmask 255.255.255.255

   

or should I use this 

static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255
or
static (outside,inside) 10.17.1.10 200.100.25.20 netmask 255.255.255.255

 

access-group OUTSIDE_NET in interface outside
access-group INSIDE_NET in interface inside

 

Am I in the right track? Did I miss anything? I wanted to be able to access my test webserver from the outside network? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Florin Barhala
Level 6
Level 6
In response to John Rener

‎05-04-2018 02:01 AM

Hello John,

If you're still using 8.2 you should use
static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255

Bear in mind that if you use ASDM or SSH over the outside interface adding this STATIC NAT statement will cut your access as both 443 and 22 will get translated to the 10.17.1.10.

As a glitch if the above statement doesn't work please use "interface" keyword.

static (inside,outside) interface 10.17.1.10 netmask 255.255.255.255

Last but not least you can use STATIC PAT only for port 80 or 443:
static (inside,outside) tcp interface 80 10.17.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.17.1.10 443 netmask 255.255.255.255

Now that we have taken care of NAT, let's revisit firewall aka ACL:
- you used access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
This will work if you have 8.3 or higher software version.
- instead use:
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 80
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 443
I am assuming that you will apply OUTSIDE_NET ACL on the outside interface: access-group OUTSIDE_NET in interface outside

Good luck!

View solution in original post

4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-16-2017 02:10 PM

 

 

Can you just confirm - 

 

1) what is the ASA version of software you are running 

 

2) is the public IP you want to use for your web server the same IP assigned to your outside interface or a different one

 

Jon

0 Helpful

Go to solution
John Rener
Level 1
Level 1
In response to Jon Marshall

‎11-16-2017 03:55 PM

This is only running v8.2

This public is coming from a PAT from another firewall. I'm actually behind another firewall. Is that what you're referring as outside interface? 

0 Helpful

Go to solution
John Rener
Level 1
Level 1

‎05-03-2018 03:13 PM

I appreciate any input, thank you.
0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to John Rener

‎05-04-2018 02:01 AM

Hello John,

If you're still using 8.2 you should use
static (inside,outside) 200.100.25.20 10.17.1.10 netmask 255.255.255.255

Bear in mind that if you use ASDM or SSH over the outside interface adding this STATIC NAT statement will cut your access as both 443 and 22 will get translated to the 10.17.1.10.

As a glitch if the above statement doesn't work please use "interface" keyword.

static (inside,outside) interface 10.17.1.10 netmask 255.255.255.255

Last but not least you can use STATIC PAT only for port 80 or 443:
static (inside,outside) tcp interface 80 10.17.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.17.1.10 443 netmask 255.255.255.255

Now that we have taken care of NAT, let's revisit firewall aka ACL:
- you used access-list OUTSIDE_NET extended permit tcp any host 10.17.1.10 eq 80
This will work if you have 8.3 or higher software version.
- instead use:
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 80
access-list OUTSIDE_NET extended permit tcp any host 200.100.25.20 eq 443
I am assuming that you will apply OUTSIDE_NET ACL on the outside interface: access-group OUTSIDE_NET in interface outside

Good luck!
Review Cisco Networking for a $25 gift card
Top