Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
4
Replies

NAT on ASA 5520

NES IT
Level 1
Level 1

‎01-28-2013 03:27 AM - edited ‎03-11-2019 05:53 PM

Hi Everyone,

Im a NAT newbie so any help would be greatly appreciated, but Im looking to NAT an internal address to the outside world. So, I have a remote host that I wish to connect to an internal host, but on a pseudo address. So I need the firewall to accept connections to address x.x.x.x and translate them to y.y.y.y (real internal address). I do not want the remote host to see the real internal address.

Ive read the various papers on NAt but am not sure which method I need to use. Also, my access lists would need to reference the real or natted address? Im not sure.

Thanks in advance for any help.


Dan                  

Labels:
0 Helpful
4 Replies 4

WSLH OIS NOC - OIS Infrastructure
Level 1
Level 1

‎01-28-2013 07:49 AM

You need a static NAT rule to allow inbound connections.  The whole NAT infrastructure changed at firmware 8.3, so <=8.2 you use the mapped addresses in the rules, and >=8.3 you use the real addresses.  Where real is what the inside host is sending and receiving on, and mapped is what the firewall is talking to the outside.  If you can supply more details about which ASA software version you are implementing and whether you are forwarding all ports and protocols or just some few TCP ports, we can be more specific with our help.

-- Jim Leinweber

0 Helpful

NES IT
Level 1
Level 1
In response to WSLH OIS NOC - OIS Infrastructure

‎01-28-2013 07:54 AM

Thank you for your reply Jim.

Im using asa911-k8.bin as the OS and looking to only really translate http traffic. Thats the only traffic which should be coming in anyway.

Thanks again,


Dan

0 Helpful

NES IT
Level 1
Level 1
In response to NES IT

‎01-29-2013 06:19 AM

Was that enough info Jim?

Dan

0 Helpful

WSLH OIS NOC - OIS Infrastructure
Level 1
Level 1
In response to NES IT

‎01-29-2013 08:59 AM

Almost enough information.  It would help to know how many IPv4 addresses you have on the outside of the firewall, and how you plan to use them.  For a scenario with:

* ASA software 9.1(1)

* 1 IPv4 address on the outside interface of the firewall, say 203.0.113.2

* inbound traffice to port 80 redirected to a particular server, say 172.16.1.8

The video referenced in this forum thread might be helpful:

https://supportforums.cisco.com/docs/DOC-12324

The relevent command line documentation is at:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html

The configuration you want in this case would be something like:

object network web-nat-8

host 172.16.1.8

nat (inside,outside) static 172.16.1.8 203.0.113.2 service tcp 80 80 no-proxy-arp

ACL's now use the "real" addresses, so 172.16.1.8 in your rules, e.g.

access-list OUTSIDE-INGRESS-01 permit tcp any4 172.16.1.8 port 80

access-group OUTSIDE-INGRESS-01 in interface outside

-- Jim Leinweber, WI state lab of Hygiene

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card