12-30-2008 04:13 AM - edited 03-11-2019 07:30 AM
Hi,
I'm using a 5505 in routed mode. I currently have the following nat, global and static statements:
Firewall# show run nat
nat (inside) 1 0.0.0.0 0.0.0.0
Firewall# show run global
global (outside) 1 interface
static (inside,outside) 74.213.XXX.XXX 192.168.100.2 netmask 255.255.255.255
Plus a few more internal IPs routed to different external IPs. As it stands, each internal IP has it's own external IP. Translation occurs between the internal and the internal IPs, ports remaining unchanged.
For the above external IP, one exception needs to be made. I'd like to have port 12345 re-directed to 192.168.100.2 port 22 (so in other words I'd like to close port 22 to the public and instead use a high-numbered port)
All the other ports can remain the same. I've already tried the obvious (adding another static entry) but I get an error message saying it overlaps with an existing entry. I've even tried assigning another internal IP to the host and creating a new NATid, but I still run into the same problem. Surely this goal doesn't require it's own external IP!?
Thanks in advance for the help!
E
Solved! Go to Solution.
12-30-2008 06:02 AM
Since your using 1-to-1 NATs it will require a new public IP. Try using a new public IP, but doing a port translation-
static (inside,outside) tcp 74.213.X.Y 12345 192.168.100.X 22 netmask 255.255.255.255
You can then add other high ports pointing to other boxes (but the same public IP).
static (inside,outside) tcp 74.213.X.Y 23456 192.168.100.Z 22 netmask 255.255.255.255
static (inside,outside) tcp 74.213.X.Y 34567 192.168.100.A 22 netmask 255.255.255.255
Hope that helps.
12-30-2008 06:02 AM
Since your using 1-to-1 NATs it will require a new public IP. Try using a new public IP, but doing a port translation-
static (inside,outside) tcp 74.213.X.Y 12345 192.168.100.X 22 netmask 255.255.255.255
You can then add other high ports pointing to other boxes (but the same public IP).
static (inside,outside) tcp 74.213.X.Y 23456 192.168.100.Z 22 netmask 255.255.255.255
static (inside,outside) tcp 74.213.X.Y 34567 192.168.100.A 22 netmask 255.255.255.255
Hope that helps.
12-30-2008 11:23 AM
Hi Collin,
Thanks for your help!
12-30-2008 11:49 AM
Why do need to waste extra public IP addresses for that? There is a much simpler way
to accomplish this. It's called policy NAT.
Private host IP: 192.168.100.2
Public NAT IP: 1.2.3.4
Objective: you want to NAT 192.168.100.2 to 1.2.3.4 and keep everything the same on the
port usage except that you want to port 12345 for IP address 1.2.3.4 to be translated to
port 22 on 192.168.100.2
Now you have to read the syntax on the ASA for this. I do not have one in front of me
but I will use Checkpoint NAT as an example:
Rule # Src Dst Service Trans-Src Trans-Dst Service
1 Any 1.2.3.4 12345 Original 192.168.100.2 22
2 Any 1.2.3.4 any Original 192.168.100.2 Original
The idea here is that the NAT rule #1 will take care of the SSH translation while rule #2
will take care of the rest for NAT. This is a much efficient use of public IP addresses.
There is no need to use additional public IP addresses in this situation.
12-30-2008 09:31 PM
Could anyone possibly give an example of what the parent post stated, in the context of an ASA5500? I've tried a few different things however I'm having no such luck. Also, I'm presuming that if I'd be doing policy nat, I should remove the static NAT entry?
12-31-2008 01:25 PM
In regards to the parent post you can try something like this
ACCESS LIST NAME permit tcp any 192.168.100.2 eg 22
global outside 1 1.2.3.4 netmask xx.xx.xx.xx eq 1234
nat inside 1 access-list ACLName . HTH
Also check out this web link for examples of Policy Based NAT
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#IN1
12-31-2008 01:32 PM
Thanks for your suggestion, unfortunately this isn't possible on an ASA5505. Looking at the example in the reference guide for the5505, I see that the address we want the real address mapped to is specified by the global commad, but unfortunately that command doesn't have an "eq" parm which lets you specify the port. Although it seems like you can easily re-write the mapped addr based on source/dst, it doesn't look like the port can be re-written. I was really hoping for a solution similar to what the checkpoint post refers to.
01-02-2009 06:47 AM
You can try this:
static (inside,outside) interface 12345 192.168.100.2 22 netmask 255.255.255.255
This will use ANY address that you have specified or assigned by the ISP. Us the word "interface" where I have it, and don't use an address there.
HTH,
John
01-04-2009 12:24 AM
Hi Collin,
Just wanted to let you know that your solution was definitely the best solution. I looked in to policy NAT, however it doesn't do what I'm trying to accomplish. One of my initial concerns with your suggestion is that every outgoing connection would have to be defined in a static statement, however by testing out this solution, I found out this wasn't the case. I'm not sure why this doesn't need to happen (if you can explain to me the reason/concept/logic it would be much appreciated!) but what counts is that it doesn't.
Thanks again,
Erik
01-04-2009 03:28 PM
After further testing, I realize that:
global (outside) 1 interface
ensures that all my outgoing connections are translated to outside vlan's address and that's why it works.
Hooray :)
Erik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: