ASA 5505 static NAT setting problem

Answered Question
Feb 25th, 2009

I buy the ASA 5505 firewall and wish to replace the existing PIX 506iE firewall.

In the old topology; there are only inside network 192.168.1.0/24 for server only and 202.**.***.217 is outside public interface. In the old setting, one server map one public ip by static NAT for public access and no other user connect to firewall.

For example:

orginal

inside 192.168.1.10

translated

outside 202.**.***.211

I read the manual of ASA 5505 and it suggest put the server in DMZ but I do not wish to change the network topology. Is it OK for map the outside public IP to inside private IP without using DMZ in ASA5505? Is the setting same as PIX 506iE?

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 11 months ago

(I am not care which service pass from outside in this moment),

So Is the setting in attachment(NAT, Access list) correct now?

As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 02/25/2009 - 19:12

kw,

The instructions you have read on asa5505 are the recommended guideline topology scenario using DMZ to place your server isolated from your private network that will be accessed from the outside public inter-network.

You can however do the static NAT mappings the same way you had it before when using PIX506E without using DMZ network.

static (I/O) netmask

and your inbund access rule

Regards

wongkw3008 Wed, 02/25/2009 - 19:25

THX; but is the "inbund access rule" mean the "outside_access_in" rules in ACL Manager?

Is it setting correct?

permit any tcp 202.**.***.211

JORGE RODRIGUEZ Wed, 02/25/2009 - 20:05

is 202.**.***.211 the ip address of your asa5505 outside interface or is it a spared public IP.

If using outside interface for mapping inside host.

I will trow few examples for few different scenarios.

example-1 :

allowing RDP using outside interface -

static (inside,outside) tcp interface 3389 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-group outside_access_in in interface outside

example-2

if u want to map several inside hosts using outside ASA5505 interface IP you can do port forwarding:

say you want to allow ftp, www, and 33389 for RDP local lan IPs 192.168.1.10, 11, 12

static (inside,outside) tcp interface 21 192.168.1.10 21 netmask 255.255.255.255

static (inside,outside) tcp interface 80 192.168.1.11 80 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.12 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 21 log

access-list outside_access_in extended permit tcp any interface outside eq 80 log

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-group outside_access_in in interface outside

example-3

if you have just a single spared public IP you can use is for one static NAT as follows: say public IP is 20.20.20.20

static (inside,outside) 20.20.20.20 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 3389 log

access-group outside_access_in in interface outside

you can also do port forwarding with a single spared public IP as shown in example 1

Regards

PLS rate any helpful post if it helps

wongkw3008 Wed, 02/25/2009 - 20:16

202.**.***.211 is the spared public IP so I only need to map it to 192.168.1.10 like existing setting. And I need it can be http access, ftp access and remote access on the Internet. Thx

JORGE RODRIGUEZ Wed, 02/25/2009 - 20:43

then you simply need static NAT and inbound access rule.

static (inside,outside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 202.**.***.211 eq ftp log

access-list outside_access_in extended permit tcp any host 202.**.***.211 eq http log

wongkw3008 Wed, 02/25/2009 - 23:48

So Is the setting in attachment(NAT, Access list) correct now?

(I am not care which service pass from outside in this moment)

quote from show run:

"access-list outside_access_in extended permit tcp any host 202.**.***.211

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255 "

Attachment: 
Correct Answer
JORGE RODRIGUEZ Thu, 02/26/2009 - 00:54

(I am not care which service pass from outside in this moment),

So Is the setting in attachment(NAT, Access list) correct now?

As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.

Regards

Actions

This Discussion