12-16-2013 10:43 AM - edited 03-04-2019 09:52 PM
Hello All,
Firstable thank you for your help.
I just have 1 public ip address for my network. This ip address is set in my outside interface on the ASA. It is the one I use for NAT and allow user from inside network to access Internet. Also I have a web server running on a inside server.
My question is if I can use the only one public ip address I have in the outside interface on my ASA and set a static NAT for the web server internal ip address (private) and create a ACL to allow access from Internet to my Internal web server.
Thank you.
Solved! Go to Solution.
12-16-2013 12:23 PM
That's OK. It's just telling us that we are NAT'ing all ports. We can NAT just a single port with a command like this-
object network 192.168.10.100
nat (inside,outside) static interface service tcp www www
12-16-2013 12:51 PM
Below I am assuming that port 88 is the port on the outside and it's being translated to port 80 on the server.
object network 192.168.10.100
nat (inside,outside) static interface service tcp www 88
We can only have 1 NAT per object so we have to create another object even though it is the same public IP.
object network mysql-server
host 192.168.10.200
nat (inside,outside) static interface service tcp 3306 3306
12-16-2013 10:54 AM
Yes you can. First you build your object for the server
object network 192.168.10.100
host 192.168.10.100
description Web Server
Then build your nat
object network 192.168.10.100
nat (inside,outside) static [your public IP]
Then your ACL
access-list outside-in extended permit tcp any host [your public IP] eq 80
Then apply the ACl to the interface in the inbound direction
access-group outside-in in interface outside
12-16-2013 12:03 PM
Hi Collin,
Thank you for your help.
I tried to do the steps you gave me and the ASA gives me this Error.
ERROR: Address (public address) overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Any idea ?
Thank you.
12-16-2013 12:05 PM
Let's try the interface keyword instead of the actual IP.
object network 192.168.10.100
nat (inside,outside) static interface
12-16-2013 12:18 PM
Hi Collin,
with this
object network 192.168.10.100
nat (inside,outside) static interface
Result:
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.
Thank you.
12-16-2013 12:23 PM
That's OK. It's just telling us that we are NAT'ing all ports. We can NAT just a single port with a command like this-
object network 192.168.10.100
nat (inside,outside) static interface service tcp www www
12-16-2013 12:38 PM
Hi Collin,
What about if I want just the 88 port for http access and 3306 for mysql ?
thank you so much
12-16-2013 12:51 PM
Below I am assuming that port 88 is the port on the outside and it's being translated to port 80 on the server.
object network 192.168.10.100
nat (inside,outside) static interface service tcp www 88
We can only have 1 NAT per object so we have to create another object even though it is the same public IP.
object network mysql-server
host 192.168.10.200
nat (inside,outside) static interface service tcp 3306 3306
12-16-2013 01:29 PM
Thank you Collin, so thats the trick 2 different objects !!!
beatiful , thank you so much !!!
12-16-2013 01:31 PM
Yeah, kinda goofy if you ask me
Glad it helped and thanks for rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide