Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
2
Replies

Static NAT Question - Public to Inside ASA 9.1x

Go to solution
raun.williams
Level 3
Level 3

‎12-04-2014 06:34 PM - edited ‎03-11-2019 10:11 PM

Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.

 

I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:

 

Remote Public IP's: 77.88.99.11

Local Public IP: 12.12.12.1

Ports required:

object-group service srvgp-stream-remote
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destionation eq 8088
 service-object tcp destination eq 1935
 service-object udp destination range 6970 9999
 service-object udp destination range 30000 65000
 service-object udp destination eq 554

 

I can get this to work:

object network server-external-ip
 host 12.12.12.1
!
object network webserver
 host 192.168.1.100
 nat (dmz,outside) static server-external-ip service tcp 8088 8088

access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088

But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?

Any help is greatly appreciated.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-04-2014 11:32 PM

With that many ports, you should use the public IP exclusively for the Webserver:

object network webserver
 host 192.168.1.100
 nat (dmz,outside) static server-external-ip

If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:

nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎12-04-2014 11:32 PM

With that many ports, you should use the public IP exclusively for the Webserver:

object network webserver
 host 192.168.1.100
 nat (dmz,outside) static server-external-ip

If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:

nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

 

0 Helpful

Go to solution
raun.williams
Level 3
Level 3
In response to Karsten Iwen

‎12-11-2014 10:17 AM

Thanks Kirsten. I was actually trying to get the ip exclusively for the server and finally was able to get it working.  I had your config in place at one point, but apparently didn't have something else configured at the time correctly.  At any rate, it is working. Thank you for replying.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card