04-30-2015 04:20 AM - edited 03-11-2019 10:52 PM
I have a pre-8.3 NAT question. How would this config look like in ASA 9.1(6)?
name 192.168.100.0 lan description Internt Vlan1
name 172.20.21.0 vpn description Vpnklienter vlan1
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 lan 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn 255.255.255.0
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) tcp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) tcp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) tcp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) tcp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) tcp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) udp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) udp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) udp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) udp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) udp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) udp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255
04-30-2015 07:08 AM
Read this first link for examples -
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
and also read this link for the explanation of how NAT is now done because it has sections now and it is important where you place your statements. The document covers all this with recommendations -
if you are still unsure then by all means come back for help.
Jon
05-05-2015 05:46 AM
Hi,
You need to create a different object with a different name but same IP on the ASA for every NAT with a different port.
This is a requirement on the ASA device otherwise it will overwrite the previous configuration.
Thanks and Regards,
Vibhor Amrodia
04-30-2015 07:14 AM
Hi,
This would be the translated configuration:-
object network obj-0.0.0.0.0
subnet 0 0
nat (inside,outside) dynamic interface
___________________________
VPN NONAT
This would be converted as:-
nat (inside,outside) source static <Source LOCAL SUbnet> <Source LOCAL SUbnet> destination static <Destination REMOTE Subnet> <Destination REMOTE Subnet>
__________________________
Static PAT will be :-
Object service obj-TCP
service tcp source range 55530 55535
object network obj-192.168.100.250
host 192.168.100.250
nat (inside,outside) source static obj-192.168.100.250 interface service obj-TCP obj-TCP
Object service obj-UDP
service udp source range 55530 55535
object network obj-192.168.100.250
host 192.168.100.250
nat (inside,outside) source static obj-192.168.100.250 interface service obj-TCP obj-TCP
_______________________
object network obj-192.168.100.7
host 192.168.100.7
nat (inside,outside) static interface service tcp smtp smtp
Same for other ports as well
____________________________
You can allow the ACL for the ports the same way only make sure that the destination would be real IP address and not Mapped.
Thanks and Regards,
Vibhor Amrodia
05-04-2015 08:30 AM
Hello Vibhor,
Thanks for the help.
I still have a question.
I have used the following post 8.3-configuration:
object network obj-192.168.100.7
host 192.168.100.7
nat (inside,outside) static interface service tcp smtp smtp
for
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
But if I continue with:
object network obj-192.168.100.7
host 192.168.100.7
nat (inside,outside) static interface service tcp www www
My previous configuration is over-written with "http"
How do I convert all four tcp ports to a post 8.3-configuration??
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: