Hi, long time reader, first time caller. I've been using gui based firewalls, fortinets etc... and I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing. Sorry for the long post, but I've tried to be as explicit as possible.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening. I hopefully posted everything that was pertinent, If I can understand this problem, I should be able to do the DMZ on my own, but I know I'm missing something, and I've read almost every cisco article I could, but they never put my exact situation together at one time.
Thanks for the help, Bill
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 50
!
interface Vlan1
shutdown
nameif default
security-level 100
no ip address
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan30
nameif DMZ
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan50
nameif outside
security-level 0
ip address X.X.X.226 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 X.X.X.225 1
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside-dmz
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.230 192.168.0.2 netmask 255.255.255.255
access-list ssh-port extended permit tcp any host 192.168.0.2 eq 2222
access-group ssh-port in interface outside
