Solved: Vibhor, Thank you for the

JonRM1970 · ‎04-17-2015

All I am in a bind. I have an old 5510 that has version 8.0(3) software on it and I'm updating to a new 5515-x. With the amount of work it is doing I am trying to just script the entries in and do it by hand rather than try to migrate it and risk problems. Besides, I would like to learn it in CLI what I am doing rather than push a button and watch it.

What I have are several outside addressed for HTTP and HTTPS that are NAT'd to inside addresses. If I script the following would it work? I am changing the IPS and the list names, but the idea is the same.

- 10.10.0.0 is outside network

- 20.20.0.0. is inside network

1.) object-group services WebServices tcp

Description HTTP and HTTPS

port-object eq www

port-object eq https

2.) access-list OUTSIDE-IPs extended permit tcp host 20.20.1.1 255.255.255.255 host 10.10.1.1 255.255.255.255 eq object-group WebServices

access-list OUTSIDE-IPs extended permit tcp host 20.20.1.2 255.255.255.255 host 10.10.1.2 255.255.255.255 eq object-group WebServices

access-group OUTSIDE-IPs in interface outside

3.) object network INSIDE-IPs

host 20.20.1.1

host 20.20.1.2

4.) nat (inside,outside) static 20.20.1.1

nat (inside,outside) static 20.20.1.1

Will this work? I am thinking that I do not need step 3, but not sure since I put the host in directly with Step2.

I do have about 100 IP's that I will be doing this with, so the number above is just a cut version to get the idea across. IF not, Can anyone suggest a way to do this?

All help is duly appreciated.

-Jon

Vibhor Amrodia · ‎04-18-2015

Hi,

You don't have to use the Natted IP in the ACL on the Interface.

Take this assumption:-

- 10.10.0.0 is inside network

- 20.20.0.0. is outside network

access-list OUTSIDE-IPs extended permit tcp any host 10.10.1.1 eq object-group WebServices

access-list OUTSIDE-IPs extended permit tcp any host 10.10.1.2 eq object-group WebServices

If yoiu want only specific outside ip to access this server , use that Ip in the source instead of "any"

With host keyword , u don't have to specify the mask.

NAT statement would be like this:-

Object network server-1

host 10.10.0.1

nat (inside,outside) static 20.20.1.1

Object network server-2

host 10.10.0.2

nat (inside,outside) static 20.20.1.2

Every NAT will be in separate objects and only a single ip defined as host otherwise it will overwrite.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎04-18-2015

Hi,

You don't have to use the Natted IP in the ACL on the Interface.

Take this assumption:-

- 10.10.0.0 is inside network

- 20.20.0.0. is outside network

access-list OUTSIDE-IPs extended permit tcp any host 10.10.1.1 eq object-group WebServices

access-list OUTSIDE-IPs extended permit tcp any host 10.10.1.2 eq object-group WebServices

If yoiu want only specific outside ip to access this server , use that Ip in the source instead of "any"

With host keyword , u don't have to specify the mask.

NAT statement would be like this:-

Object network server-1

host 10.10.0.1

nat (inside,outside) static 20.20.1.1

Object network server-2

host 10.10.0.2

nat (inside,outside) static 20.20.1.2

Every NAT will be in separate objects and only a single ip defined as host otherwise it will overwrite.

Thanks and Regards,

Vibhor Amrodia

JonRM1970 · ‎04-19-2015

Vibhor,

Thank you for the answer and the example, but I am confused on one thing.

- How does the NAT statement tie in the outside address to the inside address? They both look to me as if they are separate statements and not tied in together or addressing each other.

I do not want a specific IP address to come in from the outside to the inside server. But I want to translate a public address to an inside address.

Eg: if I point my web browser to HTTPS://20.20.1.1, I want the ASA to translate 20.20.1.1 to go to 10.10.1.1 web server on the inside of the ASA and so on down the list....

Am I asking the same question over again, or just not understanding the statement as it is written above?

Thank you for the help

-Jon

Question on Static NAT (one-to-one)