Solved: Re: ASA Nat setup from 5510 to 5515

Kelvin C · ‎02-22-2021

We're currently setting up to recover after all these rolling blackouts to recover an ASA 5510 to an ASA 5515. We've lost the 5510 but thankfully have a backup for it. It's taking everything on the 5515 but the nat routing which is important for routing our camera server. I don't know how I can make it work I just need to route it from the outside to the inside.

These are the commands it's having issues with:

nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255
access-group outside_access_in in interface Outside

I try looking up the "Help Nat" command and it's such a mess for me to understand.

Thank You!

Tyson Joachims · ‎02-22-2021

If you are just looking to map the server to an available public IP address, you can use the following commands:

object network CAMERA-SERVER
 host 10.120.0.50
nat (Inside,Outside) static 23.23.23.23
!
access-list outside_access_in extended permit ip any host 10.120.0.50
access-group outside_access_in in interface Outside

Keep in mind that this will map every port to the camera server so the camera server will be completely exposed. I usually recommend that people use a VPN to access the camera system instead of exposing it to the Internet like this but this is a risk/benefit analysis you must evaluate and determine if you're comfortable with it.

I would recommend only allowing the ports necessary to use the camera system by scoping the access list to only those ports. Additionally you could only allow access from certain IP addresses (might prove impractical if users are used to accessing the camera system from cell phones).

View solution in original post

Tyson Joachims · ‎02-23-2021

Correct. Just keep in mind that port 80 is unencrypted so I hope that the login for this camera system does allow you to log in using an unencrypted web page.

access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 443
access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 80
access-group outside_access_in in interface Outside

View solution in original post

Tyson Joachims · ‎02-22-2021

If you are just looking to map the server to an available public IP address, you can use the following commands:

object network CAMERA-SERVER
 host 10.120.0.50
nat (Inside,Outside) static 23.23.23.23
!
access-list outside_access_in extended permit ip any host 10.120.0.50
access-group outside_access_in in interface Outside

Keep in mind that this will map every port to the camera server so the camera server will be completely exposed. I usually recommend that people use a VPN to access the camera system instead of exposing it to the Internet like this but this is a risk/benefit analysis you must evaluate and determine if you're comfortable with it.

I would recommend only allowing the ports necessary to use the camera system by scoping the access list to only those ports. Additionally you could only allow access from certain IP addresses (might prove impractical if users are used to accessing the camera system from cell phones).

Kelvin C · ‎02-23-2021

so if I only needed HTTPS and HTTP i'd put it as instead of any host it'd be 80,443 host?

Tyson Joachims · ‎02-23-2021

Correct. Just keep in mind that port 80 is unencrypted so I hope that the login for this camera system does allow you to log in using an unencrypted web page.

access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 443
access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 80
access-group outside_access_in in interface Outside

Kelvin C · ‎02-23-2021

Ok and if I'm reading this right it should be:

object network CAMERA-SERVER
 host 10.120.0.50 <--- this is the INSIDE IP?
nat (Inside,Outside) static 23.23.23.23 <------ OUTSIDE IP?
!
access-list outside_access_in extended permit ip any host 10.120.0.50 eq 443 
access-group outside_access_in in interface Outside

Tyson Joachims · ‎02-23-2021

That is correct