NAT static port with ASA inbetween

Robert Mogan · ‎03-01-2012

Hi all

I need to setup nat to allow external devices to access a server on an internal network. The plan is to use static port nat. Time for testing on the live system is limited so I'm trying to plan the basics. The problem is there is a firewall inbetween.

external |---------------|e0 gateway e1|-----------------------|e0 ASAFIREWALL e1|-----------------------|AppServer

(80.80.80.1/30)(192.168.0.1/24) (192.168.0.254/24)(192.168.101.254/24) (192.168.101.10/24)

The public ip is 80.80.80.1 at gateway e1

The Appserver is 192.168.101.10

Connecting over port 4567

Plan so far:

Gateway router:

nat requests at global ip with port 4567 to appserver port 4567

gateway(config)#ip nat inside source static tcp 192.168.101.10 4567 80.80.80.1 4567

and add static route towards appserver

gateway(config)#ip route 192.168.101.10 255.255.255.255 192.168.0.254

ASAFirewall:

Create an network object for the server

ASAFIREWALL(config)# object network Appserver4567

ASAFIREWALL(config-network-object)# host 192.168.101.10

and forward the port via NAT.

ASAFIREWALL(config-network-object)# nat (inside,outside) static 192.168.0.254 service tcp 4567 4567

add to firewall acl

ASAFIREWALL(config)# access-list OUTSIDE permit tcp any object Appserver eq 4567

I would welcome any comments as to whether this looks likeley to work and whether I'm missing anything major?

Thanks

Robert

cadet alain · ‎03-01-2012

Hi,

here is my opinion,as the default on ASA is to have NAT-control disabled you don't need any NAT on the firewall but if you do then you'll have to change the nat statement on the router like this:

ip nat inside source static tcp 192.168.0.254 4567 80.80.80.1 4567

Regards.

Alain

Don't forget to rate helpful posts.

Robert Mogan · ‎03-01-2012

Hi Alain

I've got vers 8.3 running on the ASA and the manual says nat-control is depreciated. So do you think I can leave the router config for nat as in my original comment, and drop the nat config from the ASA?

Thanks

cadet alain · ‎03-01-2012

Hi,

yes you can. just leave the ACL inbound on the wan interface and you should be ok.

Regards.

Alain

Don't forget to rate helpful posts.

Robert Mogan · ‎03-01-2012

Thanks very much - I'll add an update after testing - cheers

Robert Mogan · ‎03-19-2012

Hi Alain

Took a while to get to do this. There were some other existing rules that for the sake of conformity led me to do it as follows:

Nb discovered the connection between GATEWAY and ASAFIREWALL uses layer 2 switchports on the GATEWAY to connect the ASAFIREWALL Management Interface - all assigned to VLAN1 (not sure if this is considered normal?)

GATEWAY router - 80.80.80.1 gets a static mapping in the GATEWAY to 192.168.0.10.

(conf)# ip nat inside source static 192.168.0.10 80.80.80.1

ASAFIREWALL - then does port forwarding

(conf)# object network APPSERVER-PT4567

(conf-net-obj)# host 192.168.101.10

(conf)# object network PAT-192.168.101.10-PT4567

(conf-net-obj)# host 192.168.101.10

(conf-net-obj)#nat (developers,outside) static 192.168.0.10 service tcp 4567 4567

(config)# access-list OUTSIDE permit tcp any object APPSERVER-PT4567 eq 4567

So far it's working.

Thanks again for your help.