NAT ON ASA 5505

dian.it · ‎09-13-2008

HI, i have already installed an ASA 5505. My service provider only led me one ip address public. Can i do create Static NAT to my services (web, ftp) with ip address of ASA.

Thanks.

JORGE RODRIGUEZ · ‎09-13-2008

Yes you can, use the outside interface for static inbound connections, if your ISP is only giving you one public IP for your ASA outside interface addressing.

say your inside network is 10.20.20.0/24 network and have webserver at 10.20.20.20, ftp server at 10.20.20.21, and telnet server at 10.20.20.22

the static commands and acl would be similar to :

Static entries

static (inside,outside) tcp interface 80 10.20.20.20 80 netmask 255.255.255.255

static (inside,outside) tcp interface 21 10.20.20.21 21 netmask 255.255.255.255

static (inside,outside) tcp interface 23 10.20.20.22 23 netmask 255.255.255.255

and so on

maybe create a tcp object group for these services to apply to an acl

object-group service TEST tcp

port-object eq 80

port-object eq 21

port-object eq 23

create the acl and apply it to outside interface

access-list outside_access_in extended permit tcp any interface outside object-group TEST log

access-group outside_access_in in interface outside

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525

Rgds

Jorge

PLS rate any helpful post

Jorge Rodriguez