Solved: NAT for multiple ports

Delmiro Campelo · ‎06-12-2013

Hello Support community,

I'm looking to simplify some of the nat commands that I need to use, and I would like to ask, is it possible to map 2 real ports to 2 translated ports using a single nat command? for example, I have a web server in DMZ hosting services on port 80 and 443 that need some NAT translation for Internet. i'm looking to use the static NAT command described in the link below but looks like that would use a range of port instead of specific ones like 80 and 443, in my case, does the range command use all the ports 80 through 443 or just those 2 ports ? is this possible to do with a single NAT command to accomplish this goal?

https://supportforums.cisco.com/docs/DOC-9129

Thanks for your time

Delmiro

Jouni Forss · ‎06-12-2013

Hi,

You would basically need "object network" for each NAT configuration since each "object network" can only hold one "nat" configuration line under them

So for example you might need

object network WEB-SERVER-HTTP

host 10.10.10.10

nat (dmz,outside) static interface service tcp www www

object network WEB.SERVER-HTTPS

host 10.10.10.10

nat (dmz,outside) static interface service tcp https https

So as you can imagine, if you have several ports that need to be forwarded to the local servers then you are looking at a big amount of configurations.

Naturally having separate public IP address for each server helps alot since then you dont have to play around with separate ports but just configure a Static NAT

object network WEB-SERVER

host 10.10.10.10

nat (dmz,outside) static x.x.x.x

But if you are already specifically looking for Static PAT (Port Forward) configurations I imagine that you dont have any other public IP addresses other then the one on your "outside" interface or for some reason you are not able to use the spare public IP address this time.

- Jouni

View solution in original post

Jouni Forss · ‎06-12-2013

Hi Delmiro,

At the moment its not possible to handle multiple ports with a single NAT configuration command UNLESS you use a range of ports. And as you can imagine that is not very convinient.

So I am affraid that if you have to use Static PAT (Port Forward) instead of Static NAT then you will have to make a "nat" configuration command for each port that needs to be forwarded through the ASA firewall

- Jouni

Delmiro Campelo · ‎06-12-2013

Thanks Jouni for assisting, I'm not sure I understand, if I want to nat 2 ports ( in my case 80 and 443 )for the same host on the dmz, I would have to use a nat command for every port?

This is an example that I was using, that I was trying to simplify.

object network server_real_ip

nat (dmz,outside) static server_public_ip service tcp www www

object network server_real_ip

nat (dmz,outside) static server_public_ip service tcp https https

Delmiro

Jouni Forss · ‎06-12-2013

Hi,

You would basically need "object network" for each NAT configuration since each "object network" can only hold one "nat" configuration line under them

So for example you might need

object network WEB-SERVER-HTTP

host 10.10.10.10

nat (dmz,outside) static interface service tcp www www

object network WEB.SERVER-HTTPS

host 10.10.10.10

nat (dmz,outside) static interface service tcp https https

So as you can imagine, if you have several ports that need to be forwarded to the local servers then you are looking at a big amount of configurations.

Naturally having separate public IP address for each server helps alot since then you dont have to play around with separate ports but just configure a Static NAT

object network WEB-SERVER

host 10.10.10.10

nat (dmz,outside) static x.x.x.x

But if you are already specifically looking for Static PAT (Port Forward) configurations I imagine that you dont have any other public IP addresses other then the one on your "outside" interface or for some reason you are not able to use the spare public IP address this time.

- Jouni

Delmiro Campelo · ‎06-12-2013

that makes a ton of sense, thanks Jouni!!!