Static NAT & Access-list

tckoon · ‎10-18-2005

Hi,

ASA/PIX with 2 interfaces, Outside and Inside. Web Server real ip is 10.1.1.88 and the outside static nat ip is 202.187.1.88.

So to allow user to access this web server from Internet, the access-list will be as below that apply to Outside interface.

access-list acl_out permit tcp any 202.187.1.88 eq wwww

How about this access-list , does user able to access web server ?

access-list acl_out permit tcp any 10.1.1.88 eq wwww

My question is related to the using object-group to configure access-list and static NAT the inside ip to multiple interfaces. If only the first access-list will work then when we create access-list we need to name the same server to multiple name refer to NATed ip of each interface.

This make the configuration very complex.

THanks

arunsing · ‎10-18-2005

Hi,

The first access-list will only work as the packet that hits the outside interface with the public ip as destination.

I could not understand your second question. Could you please be a bit more elaborative.

tckoon · ‎10-18-2005

hi,

what i mean is let name 10.1.1.88=web-server in object-group. When we create access-list it look like this :

access-list acl_out permit tcp any object-group web-server eq www

Does it work?,

Or we still need to put more afford to name 202.187.1.88=web-server-public then

access-list acl_out permit tcp any object-group web-server-public eq www

jackko · ‎10-18-2005

you will need to configure 2 names, otherwise how would the pix determines which ip to use with the acl.

tckoon · ‎10-18-2005

Checkpoint we just need to defined one only.

If I have nat the same server to 6 interfaces then I need to create 6+1 hostname for the same server it is rediculius.

Cisco need to improve the object-group

Thanks.

jackko · ‎10-19-2005

just wondering if you may provide a little more detail on how checkpoint may handle one name with multiple ips. it sounds like a marvelous feature.