cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ASA new NAT commands are horrible.

1252
Views
10
Helpful
1
Comments

Hi all,

I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS.

 

I have a rule :

object network LOCAL_ADRESS1 
host 192.168.20.12

 

nat (VLAN20,outside) source static LOCAL_ADRESS1 interface

 

in this way i can reach the address 1.

So what if i need to reach address 2 for another tcp service??

 

 

 

 

Comments
ronbuchalski
Beginner

Is your 'outside' connected to the public Internet?  And, if so, is the outside network an address block, or is it a single IP address assigned via DHCP (or static) from your ISP?

 

If you have a public address block available, then you can STATIC NAT each individual inside (local) host to a different outside public (global) IP address.  If you have many internal inside (local) hosts that need to be reachable globally, you can create numerous 1:1 static NATs, or you can create an outside NAT pool that the inside hosts can use, with the limit that when the pool is exhausted, no additional NATs can be established.

 

If you only have a single public IP address, then you will need to create NATs based on port-specific information per protocol (TCP or UDP, for example).  So, say you have two web servers, 192.168.20.12 and 192.168.20.13, and you want to make them both reachable via the outside.

 

Say your outside IP address is 11.12.13.14

 

Then:

object network web_server1
host 192.168.20.12

 

object service web_server1_srcport

service tcp source eq 80

 

object network web_server2
host 192.168.20.13

 

object service web_server2_srcport

service tcp source eq 8080

 

object service web_server_srcport

service tcp source eq 80

 

nat (inside,outside) source static web_server1 interface service web_server_srcport web_server1_srcport
nat (inside,outside) source static web_server2 interface service web_server_srcport web_server2_srcport

 

ASA5506X(config)# sh xlate

 

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

TCP PAT from inside:192.168.20.12 80-80 to outside:11.12.13.14 80-80
flags srT idle 0:00:20 timeout 0:00:00

TCP PAT from inside:192.168.20.13 80-80 to outside:11.12.13.14 8080-8080

 

Create
Recognize Your Peers
Content for Community-Ad