Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
10
Helpful
6
Replies

NAT on ASA 5505

Go to solution
marcio.tormente
Level 4
Level 4

‎11-17-2015 07:41 AM - edited ‎03-11-2019 11:54 PM

Dear friends,

I have a internet link that is working fine, but now I have to make work a new aplication that need a NAT to some ports.

I need translate a public IP (internet link) to a private IP with 10 diferent port.

My ASA have 8.2's IOS version and I can´t upgrade.

Any one knows how can I do it?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-17-2015 08:03 AM

Hi Marcio,

Please configure something like :

static (inside,outside) tcp <mapped-public-ip> <mapped-port> <real-ip> <real-port> netmask 255.255.255.255

Also you need to allow this traffic on outside interface for Inbound connection. Something like this:

access-list out_in permit <tcp/udp> any host <mapped-ip> eq <mapped-porT>

Same thing for other ports and internal address as well. Go through the link below for more understanding:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your queries or rate the helpful posts.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-17-2015 08:03 AM

Hi Marcio,

Please configure something like :

static (inside,outside) tcp <mapped-public-ip> <mapped-port> <real-ip> <real-port> netmask 255.255.255.255

Also you need to allow this traffic on outside interface for Inbound connection. Something like this:

access-list out_in permit <tcp/udp> any host <mapped-ip> eq <mapped-porT>

Same thing for other ports and internal address as well. Go through the link below for more understanding:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your queries or rate the helpful posts.

0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to Akshay Rastogi

‎11-17-2015 08:12 AM

Hello Akshay!

Thanks for your support

I made this configuration before as you can see below, but I couln´t make this same configuration for a port range (9000-9499).

static (outside1,inside) tcp 189.231.97.x 5000 192.168.13.10 5000 netmask 255.255.255.255
static (outside1,inside) tcp 189.231.97.x 5001 192.168.13.10 5001 netmask 255.255.255.255
static (outside1,inside) tcp 189.231.97.x 5090 192.168.13.10 5090 netmask 255.255.255.255
static (outside1,inside) tcp 189.231.97.x sip 192.168.13.10 sip netmask 255.255.255.255
static (outside1,inside) udp 189.231.97.x 5090 192.168.13.10 5090 netmask 255.255.255.255
static (outside1,inside) udp 189.231.97.x sip 192.168.13.10 sip netmask 255.255.255.255

Thanks

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎11-17-2015 08:21 AM

Hi Marcio,

First thing, if 192.168.13.10 is ur real ip on inside interface then flip the interfaces in the command. First IP is mapped IP in the command and Second IP is the real IP. Therefore change it to :

static (inside,outside1)....

Unfortunately, you could not map multiple/range port in the static PAT in version pre 8.3. You need to configure one to one mapping. However, you could configure the static nat without any port mapping and then allow specific ports  as destination port in the access-list. This would help you what you wish to achieve(in case all the ports for 9000-9499 redirect to same internal ip).

Hope it helps.

Regards,

Akshay Rastogi

Go to solution
marcio.tormente
Level 4
Level 4
In response to Akshay Rastogi

‎11-17-2015 08:31 AM

Hello Akshay,

I see your point, but I made NAt this way because I have to translate fron Internet to a specific internal IP.

If my ASA received a packet from internet with this specific ports, they have to translate to internal IP.

Am I wrong? 

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎11-17-2015 08:40 AM

Hi Marcio,

You are explaining it correctly, however configuring it wrong. Let me explain:

When we say 'static (inside,outside) tcp <mapped-public-ip> <mapped-port> <real-ip> <real-port> netmask 255.255.255.255' that means traffic initiated from Inside to outside with ReaL ip and port would get translated to mapped ip and port. Also as Static PAT is bidirectional, it also means that if somebody from outside initiate the traffic to mapped ip and mapped port then redirect the traffic to real ip and real port in the inside.

As i had mentioned earlier, in syntax we write mapped ip and port first and then real ip and port.

Hope it helps.

Regards,

Akshay Rastogi

Go to solution
marcio.tormente
Level 4
Level 4
In response to Akshay Rastogi

‎11-17-2015 10:20 AM

Akshay,

I'll give you the correct answer, because your are right about my question.

I believe my proble is not NAT, because after aply the NAT, my aplication (VOIP) still not working.

Thanks for all support.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card