Re: Statically PAT multiple internal hosts to one external host

Sami Abunasser · ‎03-22-2011

Hi,

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.

As an example, here's the most recent one I've ran into:

Internal IP Port External NAT

a 5000 x

b 3000-3300 x

c 7001 x

d ANY x

Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

The ASA i'm currently working on is an ASA 5510, running OS 8.0(4).

Thank you,

Sami

PAUL GILBERT ARIAS · ‎03-22-2011

if you want to allow inbound traffic to differen internal servers on different ports but having only one public IP you can do port-forwarding, for example:

public ip:

2.2.2.2

private ip and port:

192.168.1.2 port 80

192.168.1.3 port 25

192.168.1.4 port 443

If you still want to NAT everything else you can use the last line

static (inside,outside) tcp 2.2.2.2 www 192.168.1.2 www netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 smtp 192.168.1.3 smtp netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 https 192.168.1.4 https netmask 255.255.255.255

static (inside,outside) 2.2.2.2 192.168.1.4 netmask 255.255.255.255

Remember the access-lists allowing the traffic inbound.

Sami Abunasser · ‎03-22-2011

Paul,

Thank you for the response. That is kind of what i'm trying to do, but I think I did a poor job explaining what I was doing, and should have tried to include the configurations.

Here's the configurations that I want to use (but they don't work since they are not supported):

Assuming internal network is 10.10.10.x, and external nat is 1.1.1.x

access-list snat_5 permit tcp host 10.10.10.86 eq 8005 any

access-list snat_5 permit tcp host 10.10.10.86 eq 8416 any

access-list snat_5 permit tcp host 10.10.10.86 object-group ADPRO-SERV-GRP1 any

access-list snat_5 permit udp host 10.10.10.86 object-group ADPRO-SERV-GRP1 any

static (ServerLAN,outside) 1.1.1.50 access-list snat_5

access-list snat_6 permit tcp host 110.10.10.89 eq 5500 any

access-list snat_6 permit tcp host 10.10.10.89 range 3000 3333 any

static (ServerLAN,outside) 1.1.1.50 access-list snat_6

static (ServerLAN,outside) tcp 1.1.1.50 7001 10.10.10.87 7001 netmask 255.255.255.255

static (ServerLAN,outside) tcp 1.1.1.50 7005 10.10.10.88 7005 netmask 255.255.255.255

static (ServerLAN,outside) 1.1.1.50 10.10.10.81 netmask 255.255.255.255

The ASA is erroring out stating that the NAT is already in use for another host. When I use the static NAT with the ports (as you mentioned, and as I have in the end of the configurations) that works, but I can't use it with ACL's. The reason I want to use the ACLs, is that there are a lot of ports that are allowed. I'm not sure why the previous administrator used the NATs in this way, since these servers are not related to each other, and are not part of the same system, but it would be a huge pain to change the NATs.

Thanks,

Sami

PAUL GILBERT ARIAS · ‎03-22-2011

you are right that kind of configuration is not supported. I guess you will need to be more flexible with the ports and then try a similar type of policy NAT for inbound traffic. You will need to test on a lab enviroment just to make sure things work as desired.