09-04-2012 11:01 AM - edited 03-11-2019 04:49 PM
Have a client with an ASA 5510 running IOS 8.3.1. They have a block of 5 public IP addresses, which all currently have a static NAT assigned to them. They are looking at implementing a web interface for an application recently developed for their iSeries and are no in need of another IP address/static NAT entry. They checked with their ISP and the block immediately below them is taken and the next available block of 10 would require everything to be readdressed.
My question, is there a way to consolidate their public IP addresses and allow them to do what they are looking for with their current range? I've not worked much with the 5510's and never with PAT before, but wondering if that is an option. Any help is appreciated.
Thanks!
09-04-2012 11:12 AM
Hi Sonitadmin,
You can use port address translation for your new web application by using the outside interface ip of your ASA, this way you would just be using that specific port on the public ip on which your application would be running, as an example:
static (inside,outside) tcp interface 443 10.1.1.1 443
Just for reference, if your server ip is 10.1.1.1 and it uses port 443, then you can do the above nat by using outisde interface ip address.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-04-2012 11:23 AM
Varun,
Thanks for the quick response.
OK, lets say for example I have the following public IP's:
72.169.93.201-72.169.93.205
72.169.93.205 is currently assigned as the outside interface. 201, 203 and 204 are all used as static nat entries in the configuration already:
object network obj-192.168.1.2
nat (inside,outside) static 72.169.93.203 dns
object network obj-192.168.1.7
nat (inside,outside) static 72.169.93.201 dns
object network obj_any
nat (inside,outside) dynamic 72.169.93.204
object network obj-192.168.1.2
nat (inside,outside) static 72.169.93.203 dns
object network obj-192.168.1.7
nat (inside,outside) static 72.169.93.201 dns
object network obj_any
nat (inside,outside) dynamic 72.169.93.204
The 202 address is assigned to another device on the network.
Would those object and nat commands need removed, and what commands would be needed to put in place the PAT that you are describing? Also, would there be access-lists needed?
Thanks!
09-04-2012 11:29 AM
Hi,
No nat commands be removed for it, what you would need to just add would be:
object service tcp_443
service tcp destination eq 443
object network obj-10.1.1.1
host 10.1.1.1
nat (outside,inside) source static any any destination static interface obj-10.1.1.1 service tcp_443 tcp_443
you would also need to apply an access-list on the outside interface for allowing this traffic, eg:
access-list outside_access_in permit tcp any host 10.1.1.1 eq 443
and it should works.
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-04-2012 11:35 AM
OK, just one more (stupid) question. Where in this do I need to enter the outside IP address? Really am having a hard time grasping this.
THanks!
09-04-2012 11:40 AM
Hi,
You need to mention the ip but just the "interface" keyword.
nat (outside,inside) source static any any destination static interface obj-10.1.1.1 service tcp_443 tcp_443
This means its the outside interface ip. and in access-list you need to just mention your server private ip, since post 8.3, you need to mention private ip's in your access-list applied on the outside interface.
Let me know if you have any questions.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide