Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9279
Views
0
Helpful
7
Replies

PAT 1 Public IP to Multiple Private IP's

Go to solution
Mark Cavendish
Level 1
Level 1

‎09-12-2013 03:01 AM - edited ‎03-11-2019 07:37 PM

Hi

I am okay with doing NAT and even PAT with one different port on the outside interface to translate to a separate port on the inside host.

Yet is it possible to do PAT on one Public IP address to multiple local IP addresses all using different ports?

We need an external provider to connect to our individual servers on multiple sites through our ASA. Yet I don't want to lose 10-15 Public IP addresses just for this service.

Any advice or guidance would be greatly appreciated.

Kind regards,
Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mark Cavendish

‎09-12-2013 06:29 AM

Hi,

I am sure you are not going to like the following BUT....

For each translation you will have to create its own "object network" which contains the real "host" IP address and the "nat" configuration.

So I assume what you tried above was to forward several ports for a single host. Instead you will have to make 5 different "object network" + "host" + "nat" configurations for each of those Static PAT configurations.

I know its going to be messy but at the moment there is no other cleaner way to configure this. There is no way we can group these ports together in a single "nat" command.

The only option would be to forward a continuous range of ports. But I am not sure if that is an option in this case.

So I guess if you need to forward 5 ports per server and for example had 5 servers that needed those same ports forwarded then you would need 25 NAT configurations.

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-12-2013 03:17 AM

Hi,

I guess you mean configuring Static PAT (Port Forward) for multiple Internal servers to enable inbound connectivity from the external network?

In this case I dont see any problem with achieving this.

Naturally the configuration format depends on your ASAs software level. Software level 8.2 (and below) has a completely different configuration format compared to 8.3 (and above).

Lets take an example with the following information

  • ASA interface
    • outside
    • inside
  • Local IP addresses
    • 10.10.10.10
    • 10.10.10.11
    • 10.10.10.12
    • 10.10.10.13
  • Public IP address
    • 1.1.1.1 (not configured on the ASA interface)
  • Local port for all hosts
    • TCP/3389
  • External port per host (in the above IP address order)
    • TCP/33891
    • TCP/33892
    • TCP/33893
    • TCP/33894

NAT Configuration format for 8.2 and below software

static (inside,outside) tcp 1.1.1.1 33891 10.10.10.10 3389 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 33892 10.10.10.11 3389 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 33893 10.10.10.12 3389 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 33894 10.10.10.13 3389 netmask 255.255.255.255

NAT Configuration format for 8.3 and above software

  • The new software levels changes to NAT/ACL operation means that your "outside" interface ACL should allow connectivity to these servers using the local/real IP/port instead of the public/mapped (which is used in the 8.2 and below format)

object network SERVER-1

host 10.10.10.10

nat (inside,outside) static 1.1.1.1 service tcp 3389 33891

object network SERVER-2

host 10.10.10.11

nat (inside,outside) static 1.1.1.1 service tcp 3389 33892

object network SERVER-3

host 10.10.10.12

nat (inside,outside) static 1.1.1.1 service tcp 3389 33893

object network SERVER-4

host 10.10.10.13

nat (inside,outside) static 1.1.1.1 service tcp 3389 33894

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎09-12-2013 03:40 AM

Also,

Naturally if you were to configure a L2L VPN between your site and the remote site then you wouldnt have to spend any public IP addressses for this purpose and furthermore you would encrypt the traffic between your 2 sites.

And in the L2L VPN setup you could also limit to which hosts the remote site could connect to. This could be done with a VPN connection specific Filter ACL or changing a global setting on the ASA which would permit using an interface ACL for this purpose just like limiting traffic coming from the Internet.

- Jouni

0 Helpful

Go to solution
Mark Cavendish
Level 1
Level 1

‎09-12-2013 04:41 AM

Thanks Jouni for taking the time to explain that, I am pleased it can be done. We are 8.3 and I have just tried:

object network SERVER-1

host 10.23.1.1

nat (inside,outside) static 198.23.44.5 service tcp 80 8080

Yet I get ERROR: % Invalid input detected at '^' marker pointing to the public IP address

The example public IP has not been configured previously and is from our range of Public IP's not assigned to anything.

Am I missing something else?

Thanks again,

Mark

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mark Cavendish

‎09-12-2013 04:49 AM

Hi,

There should be no problem with the format unless I am still missing something.

Do make sure that the "host" and "nat" commands are entered while you are under the configuration mode for the "object network SERVER-1"

The "host" and "nat" commands should be located inside the "object"

Also naturally make sure you use the interface names that are configured on your firewall. The "inside" and "outside" I used in the example are just the default ones people use in simple setups.

- Jouni

0 Helpful

Go to solution
Mark Cavendish
Level 1
Level 1
In response to Mark Cavendish

‎09-12-2013 06:23 AM

Thanks Jouni, something as simple as not using the right interface names. My fault entirely.

I think I know this is not possible now, but I was hoping to do more than one PAT translation as the external service needs to connect to multiple ports inside. Ie:

object network SERVER-1

host 10.23.1.1

nat (Private,Public) static 198.23.4.5 service tcp 143 1443

nat (Private,Public) static 198.23.4.5 service tcp 443 1143

nat (Private,Public) static 198.23.4.5 service tcp 993 1993

nat (Private,Public) static 198.23.4.5 service tcp 389 1389

nat (Private,Public) static 198.23.4.5 service tcp 636 1636

Yet every NAT line I enter overrides the previous entry with the current one. Is this possible?

Thanks yet again,

Mark

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mark Cavendish

‎09-12-2013 06:29 AM

Hi,

I am sure you are not going to like the following BUT....

For each translation you will have to create its own "object network" which contains the real "host" IP address and the "nat" configuration.

So I assume what you tried above was to forward several ports for a single host. Instead you will have to make 5 different "object network" + "host" + "nat" configurations for each of those Static PAT configurations.

I know its going to be messy but at the moment there is no other cleaner way to configure this. There is no way we can group these ports together in a single "nat" command.

The only option would be to forward a continuous range of ports. But I am not sure if that is an option in this case.

So I guess if you need to forward 5 ports per server and for example had 5 servers that needed those same ports forwarded then you would need 25 NAT configurations.

- Jouni

0 Helpful

Go to solution
Mark Cavendish
Level 1
Level 1
In response to Mark Cavendish

‎09-12-2013 06:36 AM

Hi Jouni

That makes perfect sense, definitely something to keep me busy. Thank you so much again for all your help, you made it really easy to understand.

Kind regards,

Mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card