PAT rule help

3moloz123 · ‎01-03-2011

Hi,

ASA 5510 sec+, os 8.2.

Got an ASA in front of a fairly large network. The ASA itself only have one ip, and on vlan interfaces the network is divided into some /24, some /28 and a great deal of /30 networks.

One of the vlan interfaces has network 10.10.10.0/24, and on 10.10.10.22 runs a web server to which I need to PAT.

What external IP I use is not important, as long as it's not the primary IP of the ASA (due to asdm/anyconnect).

The examples of PAT I find kind of assume you have only one outside address, and it is on that you want to port forward and that does not suit me.

My outside is 'wan' and the 10.10.10.0/24 is on 'vlan580'. The web server is 10.10.10.22.

Take this example I found:

access-list outside_access_in extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside

How would I transform this to say, for example:

On connection against public ip 1.2.3.4 (that reside in vlan123), port forward to vlan580 10.10.10.23 port 80 and 443

Help much appreciated

3moloz123 · ‎01-03-2011

Tried setting upp a vlan interface with a network range that was not in use, and then tried to create port forward rules for that:

interface Ethernet0/0

nameif wan

security-level 0

ip address 1.1.0.10 255.255.255.252

ospf cost 10

interface Ethernet0/1.579

vlan 579

nameif vlan579

security-level 99

ip address 1.1.1.1 255.255.255.128

access-list outside-entry extended permit tcp any host 1.1.1.22 eq 80

access-list outside-entry extended permit tcp any host 1.1.1.22 eq 443

static (vlan579,wan) tcp 1.1.1.22 80 10.10.10.22 80 netmask 255.255.255.255

static (vlan579,wan) tcp 1.1.1.22 443 10.10.10.22 443 netmask 255.255.255.255

That didnt quite work, but I suspect I must translate the outbound traffic/responses from vlan580 / 10.10.10.0/24 too.

Am I correct? If so, how to?

And if not, what approach should I take?

Jigar Dave · ‎01-03-2011

Hello 3moloz123,

required diagram for more clarification, meanwhile you can refer to below link for your answer

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

- Rate the post if it is found helpful to you, it encourages us for more contribution in this forum.

- Jigar

3moloz123 · ‎01-03-2011

Is it really necessary with a diagram?

Mine would like exactly like http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t5,

but with around 100 vlan interfaces on the ASA, each keeping from /24 to /30 networks.

Dan-Ciprian Cicioiu · ‎01-03-2011

3moloz123 wrote:

That didnt quite work, but I suspect I must translate the outbound traffic/responses from vlan580 / 10.10.10.0/24 too.

Am I correct? If so, how to?

And if not, what approach should I take?

No. Static NAT is bidirectional.

There could be 3 issues :

1) NAT conifg : static config should be : static (inside-interface,outside-interface) tcp outside-ip port inside-ip port

2) Routing : does the provider route the ip class that you use ( in your example the nat is made on 1.1.1.22 and the internet ip is 1.1.0.10 )

If i understood well the nat is made for internet usage.

3) Access-list : check if the access-list is applied in the interfaces : show run access-group

check if there is any traffic hiting the accesss-list : show access-list

Dan