Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
1
Replies

PAT Question - For Inbound and Outbound

Go to solution
Thiago Cella
Level 1
Level 1

‎12-03-2014 05:10 PM - edited ‎03-11-2019 10:10 PM

Hi Friends,

 

Is it possible to user one address, for a  PAT , to my inside Network go to Internet, and this same address to use a inbound access from Internet, for example on port 3389?

 

For example, supose my inside is 192.168.1.0/24, and my outside  is 1.1.1.1/30. So my inside using the IP 1.1.1.1 to access the Internet.

 

Is it possible to use this IP 1.1.1.1 to conection from Internet to port 3389 to access to my internal server 192.168.1.10 ?

 

If is possible, could send a example of this on ASA ?

 

Tks

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2014 03:08 AM

Hi,

 

Yes its possible and were common configuration on the ASA.

 

You have not mentioned your ASAs software level which decides the NAT configurations format. The NAT configuration format changed between 8.2 -> 8.3 software update.

 

In 8.2 (or below) the typical Dynamic PAT and Static PAT configuration would be like this

 

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

 

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

 

And you would have to allow connections to your IP address 1.1.1.1 on port TCP/3389 in the external interfaces ACL.

 

In 8.3 (or above) the typical Dynamic PAT and Static PAT configuration would be like this

 

nat (inside,outside) after-auto source dynamic any interface

 

object network STATIC-PAT
 host 192.168.1.10
 nat (inside,outside) static interface service tcp 3389 3389

 

In the external interfaces ACL you would have to allow connections to IP address 192.168.1.10 and to the real port TCP/3389

 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2014 03:08 AM

Hi,

 

Yes its possible and were common configuration on the ASA.

 

You have not mentioned your ASAs software level which decides the NAT configurations format. The NAT configuration format changed between 8.2 -> 8.3 software update.

 

In 8.2 (or below) the typical Dynamic PAT and Static PAT configuration would be like this

 

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

 

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

 

And you would have to allow connections to your IP address 1.1.1.1 on port TCP/3389 in the external interfaces ACL.

 

In 8.3 (or above) the typical Dynamic PAT and Static PAT configuration would be like this

 

nat (inside,outside) after-auto source dynamic any interface

 

object network STATIC-PAT
 host 192.168.1.10
 nat (inside,outside) static interface service tcp 3389 3389

 

In the external interfaces ACL you would have to allow connections to IP address 192.168.1.10 and to the real port TCP/3389

 

Hope this helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card