12-04-2014 06:34 PM - edited 03-11-2019 10:11 PM
Hi All.. I'm having hard time wrapping my head around the post 8.2 nat statements, please help.
I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server). It also need to be able to push the stream to a specific IP address as well. I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
Remote Public IP's: 77.88.99.11
Local Public IP: 12.12.12.1
Ports required:
object-group service srvgp-stream-remote
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destionation eq 8088
service-object tcp destination eq 1935
service-object udp destination range 6970 9999
service-object udp destination range 30000 65000
service-object udp destination eq 554
I can get this to work:
object network server-external-ip
host 12.12.12.1
!
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip service tcp 8088 8088
access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax. Additionally, would this provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
Any help is greatly appreciated.
Solved! Go to Solution.
12-04-2014 11:32 PM
With that many ports, you should use the public IP exclusively for the Webserver:
object network webserver host 192.168.1.100 nat (dmz,outside) static server-external-ip
If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote
12-04-2014 11:32 PM
With that many ports, you should use the public IP exclusively for the Webserver:
object network webserver host 192.168.1.100 nat (dmz,outside) static server-external-ip
If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote
12-11-2014 10:17 AM
Thanks Kirsten. I was actually trying to get the ip exclusively for the server and finally was able to get it working. I had your config in place at one point, but apparently didn't have something else configured at the time correctly. At any rate, it is working. Thank you for replying.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide