Why do you need the 1 to 1

lubosbella · ‎06-13-2014

Hello,

i want to ask for this:

On ASA version 8.2.1 is configured static translation like this:

static (Inside,Outside) 5.5.5.100 192.168.1.5 netmask 255.255.255.255

what is a static 1:1 mapping between Outside and Inside IP.

This translation create mapping from outside to local PC. But it translate for example RDP session port 3389 to port 3389 what is not a very good solution (i can use access-lists to restrict access from outside of course, but is a bit limiting)...

So i want to have "exception" only for one port to map it to other port on this public IP and other use with no change.

I can do: static (Inside,Outside) tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255, but can´t it use together with 1:1 static statement.

Maybe i can use:

global (outside) 2 5.5.5.100

nat (Inside) 2 access_list PC

access-list PC extended permit ip host 192.168.1.5 any

and then static (Inside,Outside) tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255

But is this a right way how to deal with this problem?

Thank you very much.

Robert Falconer · ‎06-16-2014

Why do you need the 1 to 1 static for that PC if you just want to do port forwarding? Is there some requirement that desktop has a static IP address on the public internet?

If you must keep the 1 to 1, you can pretty easily change the port that PC listens on for remote desktop. That policy NAT example you have might work also.

ASA 8.2.1 static nat translation