NAT/PAT Question

sonitadmin · ‎09-04-2012

Have a client with an ASA 5510 running IOS 8.3.1. They have a block of 5 public IP addresses, which all currently have a static NAT assigned to them. They are looking at implementing a web interface for an application recently developed for their iSeries and are no in need of another IP address/static NAT entry. They checked with their ISP and the block immediately below them is taken and the next available block of 10 would require everything to be readdressed.

My question, is there a way to consolidate their public IP addresses and allow them to do what they are looking for with their current range? I've not worked much with the 5510's and never with PAT before, but wondering if that is an option. Any help is appreciated.

Thanks!

varrao · ‎09-04-2012

Hi Sonitadmin,

You can use port address translation for your new web application by using the outside interface ip of your ASA, this way you would just be using that specific port on the public ip on which your application would be running, as an example:

static (inside,outside) tcp interface 443 10.1.1.1 443

Just for reference, if your server ip is 10.1.1.1 and it uses port 443, then you can do the above nat by using outisde interface ip address.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

sonitadmin · ‎09-04-2012

Varun,

Thanks for the quick response.

OK, lets say for example I have the following public IP's:

72.169.93.201-72.169.93.205

72.169.93.205 is currently assigned as the outside interface. 201, 203 and 204 are all used as static nat entries in the configuration already:

object network obj-192.168.1.2

nat (inside,outside) static 72.169.93.203 dns

object network obj-192.168.1.7

nat (inside,outside) static 72.169.93.201 dns

object network obj_any

nat (inside,outside) dynamic 72.169.93.204

object network obj-192.168.1.2

nat (inside,outside) static 72.169.93.203 dns

object network obj-192.168.1.7

nat (inside,outside) static 72.169.93.201 dns

object network obj_any

nat (inside,outside) dynamic 72.169.93.204

The 202 address is assigned to another device on the network.

Would those object and nat commands need removed, and what commands would be needed to put in place the PAT that you are describing? Also, would there be access-lists needed?

Thanks!

varrao · ‎09-04-2012

Hi,

No nat commands be removed for it, what you would need to just add would be:

object service tcp_443

service tcp destination eq 443

object network obj-10.1.1.1

host 10.1.1.1

nat (outside,inside) source static any any destination static interface obj-10.1.1.1 service tcp_443 tcp_443

you would also need to apply an access-list on the outside interface for allowing this traffic, eg:

access-list outside_access_in permit tcp any host 10.1.1.1 eq 443

and it should works.

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

sonitadmin · ‎09-04-2012

OK, just one more (stupid) question. Where in this do I need to enter the outside IP address? Really am having a hard time grasping this.

THanks!

varrao · ‎09-04-2012

Hi,

You need to mention the ip but just the "interface" keyword.

nat (outside,inside) source static any any destination static interface obj-10.1.1.1 service tcp_443 tcp_443

This means its the outside interface ip. and in access-list you need to just mention your server private ip, since post 8.3, you need to mention private ip's in your access-list applied on the outside interface.

Let me know if you have any questions.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao