Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
4
Replies

NAT Question?

Go to solution
dianewalker
Level 1
Level 1

‎03-17-2011 10:45 AM

We have ASA 5540.  After setting up one-to-one nat, do I need to do anything else?

static (Inside,Outside) public ip address private ip address netmask 255.255.255.255

Thanks.

Diane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to dianewalker

‎03-17-2011 12:18 PM

static (Inside,Outside) 209.147.10.16 172.16.100.110 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.17 216.132.251.25 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.18 216.16.251.20 netmask 255.255.255.255

access-list acl_out extended permit tcp any host 209.147.10.16 eq smtp
access-list acl_out extended permit tcp any host 209.147.10.17 eq ftp
access-list acl_out extended permit tcp any host 209.147.10.18 eq ftp

You have to apply this ACL to the outside interface, so the source is any and the destination is the public IP that you define on the static NAT.

Remember the access group

access-group acl_out in interface outside

View solution in original post

0 Helpful
4 Replies 4

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-17-2011 10:47 AM

if this NAT is for outbound traffic you don't need anything else. If your intention is to allow traffic from outside to inside you will need to add the necessary ACLs to allow the traffic.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-17-2011 11:08 AM

Thanks for your prompt response.

Can you give me a sample ACLs to allow traffic from outside to inside?  I would like to allow ftp and smtp traffic.

thanks.

Diane

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-17-2011 11:27 AM

Does it looks right to you to allow traffic from outside to inside?   The IP addresses are not real.  The 216.132.251.XXX are the inside IP addresses.  The 209.147.10.XXX is the outside IP addresses.

static (Inside,Outside) 209.147.10.16 172.16.100.110 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.17 216.132.251.25 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.18 216.16.251.20 netmask 255.255.255.255

access-list acl_out extended permit tcp any host 216.132.251.25 eq smtp
access-list acl_out extended permit tcp any host 216.132.251.20 eq ftp
access-list acl_out extended permit tcp any host 172.16.100.110 eq ftp

Thanks.

Diane

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to dianewalker

‎03-17-2011 12:18 PM

static (Inside,Outside) 209.147.10.16 172.16.100.110 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.17 216.132.251.25 netmask 255.255.255.255
static (Inside,Outside) 209.147.10.18 216.16.251.20 netmask 255.255.255.255

access-list acl_out extended permit tcp any host 209.147.10.16 eq smtp
access-list acl_out extended permit tcp any host 209.147.10.17 eq ftp
access-list acl_out extended permit tcp any host 209.147.10.18 eq ftp

You have to apply this ACL to the outside interface, so the source is any and the destination is the public IP that you define on the static NAT.

Remember the access group

access-group acl_out in interface outside

0 Helpful
Customers Also Viewed These Support Documents