Solved: Re: Static nat PAT ASA

pugliededaniele88 · ‎11-25-2017

Dear all,

I want to do a static nat pat to reach a server from outside. I need an help about port translation

I have the interna ip address : 192.168.1.120

external ip address: 85.39.109.155

If I want to reach the port 80 of the server .120 but this port is already used on my pubblic address 85.39.109.155 can i adopt this solution on ASA post 8.3 ?

object network obj-192.168.1.120_80
host 192.168.1.120
nat (inside,outside) static 85.39.109.155 service tcp 8090 80

access-list outside_access_in extended permit tcp external_network host 192.168.1.120 eq 80

Thank you,

Daniele

Seb Rupik · ‎11-27-2017

Hi Daniele,

Try the following:

!
object network obj-192.168.1.120_80
  host 192.168.1.120
  nat (inside,outside) static interface service tcp 80 8090
!
access-list outside_access_in extended permit tcp any4 host 192.168.1.120 eq 80
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎11-27-2017

Hi Daniele,

Try the following:

!
object network obj-192.168.1.120_80
  host 192.168.1.120
  nat (inside,outside) static interface service tcp 80 8090
!
access-list outside_access_in extended permit tcp any4 host 192.168.1.120 eq 80
!

cheers,

Seb.

pugliededaniele88 · ‎11-27-2017

Hi,

I need to specify the pubblic IP address because this is not the interface IP address. About the port I need to specify before the 80 and then the 8080 ?

Seb Rupik · ‎11-27-2017

Ah I see. Regarding with port number positions in the nat statement, they reflect the position of the interface names (inside, outside) / 80 8090

cheers,

Seb.

pugliededaniele88 · ‎11-27-2017

HI I did the nat and acl but seems that doesn't works :(

object network obj-192.168.1.120_22_2
host 192.168.1.120
nat (inside,outside) static 85.39.109.155 service tcp 22 2222

access-list outside_access_in line 23 extended permit tcp 212.210.172.192 255.255.255.192 host 192.168.1.120 eq 22

I did an ssh from putty to port 2222 on IP 85.39.109.155 but the session has refused.

Seb Rupik · ‎11-27-2017

What is the output from:

packet-tracer input outside tcp 212.210.172.193 45000 85.39.109.155 2222

pugliededaniele88 · ‎11-27-2017

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 85.39.109.155 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rul

Seems that acl drop the traffic but now I configured a permit any any in line 1 and the results of the packet tracert is the same.