Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
1
Helpful
4
Replies

New at Firewall NAT/ACL commands on ASA FP 1100 Series

Go to solution
gnoetzel1125
Level 1
Level 1

‎09-23-2025 12:44 PM

Hey there...I hope there are wealth of experts here.  I have a need of your opinion with the below configuration that I created with help of several references and google search results.

Here's the project:

We have an appliance that is ON_PREM (35.35.35.35).  This appliance will be connected between the Firewall and CoreSwitch.  The CLOUD_WEB (120.120.120.120) will be used to service & manage the ON_PREM device.  We have a spare public facing IP address (12.12.12.12).   The ON_PREM & CLOUD_WEB will utilize AD LDAP protocols to authenticate users who are authenticated to browse the web.

Purpose of the ON_PREM appliance is to filter web contents.  Will the below OBJECT/ACL/NAT rules work?

Create Object:

object network CLOUD_WEB
host 120.120.120.120

object network ON_PREM
host 35.35.35.35

Create Port Forwarding:

nat (inside,outside) source static ON_PREM interface service tcp ldap ldap

Create ACL:

access-list OUTSIDE_IN permit tcp object CLOUD_WEB host 12.12.12.12 eq ldap
access-group OUTSIDE_IN in interface outside

Legend:

CLOUD_WEB = Cloud Management Services Static IP Address

ON_PREM = On Prem Device - gets management & services from CLOUD_WEB

12.12.12.12 = Public Face IP Address

 

I appreciate your opinions.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2025 12:50 PM

@gnoetzel1125 You've used "interface" in your NAT rule, is 12.12.12.12 the actual physical IP address of the outside interface? If not that rule won't work.

Also, you need to use the real (untranslated) IP address in the firewall rule, not the NAT IP address.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2025 12:50 PM

@gnoetzel1125 You've used "interface" in your NAT rule, is 12.12.12.12 the actual physical IP address of the outside interface? If not that rule won't work.

Also, you need to use the real (untranslated) IP address in the firewall rule, not the NAT IP address.

0 Helpful

Go to solution
gnoetzel1125
Level 1
Level 1
In response to Rob Ingram

‎09-23-2025 01:13 PM

Rob - thank you for the clarification.  It is a 'routed' IP address that we have a bank of public IP address that can be used for separating type of internet traffic.  I removed the interface from the configuration.  Below are the changes:

Create OBJECT:

object network CLOUD_WEB
host 120.120.120.120

object network ON_PREM
host 10.10.10.10

Create NAT:

nat (inside,outside) source static ON_PREM 12.12.12.12 service tcp ldap ldap

Create ACL:

access-list OUTSIDE_IN permit tcp object CLOUD_WEB host 12.12.12.12 eq ldap
access-group OUTSIDE_IN in interface outside

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gnoetzel1125

‎09-23-2025 01:19 PM - edited ‎09-23-2025 01:20 PM

@gnoetzel1125 use an object for the public IP on the NAT rule. Or alternatively you could also use an object for the static PAT, example:-

object network SVR
 host 10.10.10.10
 nat (inside,outside) static 12.12.12.12 service tcp ldap ldap

You need to use the real IP - 10.10.10.10 in the ACE, not the NAT IP.

access-list OUTSIDE_IN permit tcp object CLOUD_WEB host 10.10.10.10 eq ldap

If there is still a problem after you have made the changes, run packet-tracer to simulate the traffic flow and provide the output for review.

Go to solution
gnoetzel1125
Level 1
Level 1

‎09-25-2025 06:02 AM

Rob - thank you for your recommendation on the PAT, however, I am going to use the traditional rules so that the next person after me will be able to figure out the rules.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card