Static NAT/PAT in Ver 8.3

psaravanan · ‎03-06-2011

Hi Friend,

I need to translate one host ip into an another network IP to access the host.

For example:

I have host A in X network and need to access the A host in Z network through ASA 5510 Ver 8.3 firewall.

I have done the Static Nat configuration, but it's not working.

check the configuration in below:

object network X-network-host
host 192.168.10.14

nat (inside,dmz-1) static 192.168.50.30

access-list 101 extended permit tcp host 192.168.10.14 host 192.168.50.30 eq ssh

access-group 101 in interface inside

I need to allow remote desktop on the same, but ssh also is not working on the above scenario.

Please check and revert back.

Thanks in advance.

Maykol Rojas · ‎03-06-2011

Hi,

Assuming that the A host is on the Inside (X netword) seems that the configuration is not that bad. Needs some modifications thou:

object network X-network-host
host 192.168.10.14

nat (inside,dmz-1) static 192.168.50.30

That statement is saying that you are going to access the host 192.168.10.14 from the DMZ-1 using the IP address 192.168.50.30, in oder words, you are translatng the IP address .14 into .30.

The only thing that you may need is to put an access list on the dmz-1, the ACL would be like this.

access-list 101 permit tcp any host 192.168.10.14

access-list 101 permit ip any any

access.group 101 in interface dmz-1

Thay way, any host on the DMZ should be able to access the host 192.168.10.14 with the IP 192.168.50.30

Mike

psaravanan · ‎03-07-2011

Hi Maykol Rojas,

Sorry for the delay,

I have tried the above method, but it's not access ssh or remote desktop.

object network DC-Server
host 192.168.10.14

nat (inside,dmz-1) static 192.168.50.30

access-list 101 permit tcp any host 192.168.10.14

access-list 101 permit tcp any host 192.168.10.14 eq ssh

access-list 101 permit ip any any

access.group 101 in interface dmz-1

192.168.50.30 is a free ip, I try to translate 192.168.10.14 to 192.168.50.30

Please help me.

erickflamenco · ‎03-08-2011

Hi,

Try with this config, where any host in DMZ-1 network (192.168.50.0) can access SSH service in inside host 192.168.10.14

i.e.

ssh 192.168.10.14 from any 192.168.50.x

object network DC-Server

host 192.168.10.14

object network DMZ-1-NETWORK

subnet 192.168.50.0 255.255.255.0

nat (inside,dmz-1) 2 source static DC-Server DC-Server destination static DMZ-1-NETWORK DMZ-1-NETWORK

access-list inside_access_in line 1 extended permit ip host 192.168.10.14 192.168.50.0 255.255.255.0

access-group inside_access_in in interface inside

access-list dmz-1_access_in line 1 extended permit tcp 192.168.50.0 255.255.255.0 host 192.168.10.14 eq ssh

access-group dmz-1_access_in in interface dmz-1

If problem still present try using ASDM packet-tracer using

source interface: DMZ-1

Packet type: TCP

source IP address: 192.168.50.20

source port 1024

Destination IP adddress 192.168.10.14

Destination port 22

Here, you will cath the mistake.

Regards,

Erick