cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
5
Helpful
6
Replies

I have a Cisco 5505 ASA with 8.31 can#t workout how to configure NAT

cglendinning
Level 1
Level 1

the outside ip address of the ASA is 192.168.125.250 /22

inside address of the ASA is 192.168.0.40 /24

I want to configure:

static port translation NAT from tcp port 5902 on the outside to host 192.168.0.10 tcp port 5902 on the inside

static port translation NAT from tcp port 5903 on the outside to host 192.168.0.11 tcp port 5902 on the inside

for VNC to two hosts on the inside.

static NAT from tcp port 2222 on the outside to host 192.168.0.10 port 2222 on the inside

static NAT from tcp port 44818 on the outside to host 192.168.0.10 port 44818 on the inside

for Rockwell Rslinx

This need to be permitted for a limited range of DHCP assign addresses on the outside.

I want to enable one of the inside hosts to access an NTP server on the outside (not sure of the IP of the NTP server yet)

I don't want the inside to be able to access the outside other than this for now.

6 Replies 6

rvarelac
Level 7
Level 7

Hi cglendinning

The following link will show you some examples to accomplish this goal.

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Check the "Regular Static PAT"  section 

Hope it helps

-Randy- 

Hi

Thanks.

Those examples are not great, they don't explain the aim of each example much at all, most confusing is which is the port on the outside and and which on the inside destination.

Also it doesn't explain how to restruict access to the connection, or indeed how to permit it at all.

Chris

Hi Chris,

There are two parts of your requirement:

1: address translation: Use static nat to map real port and IP to global port and IP.

eg:

nat (inside,outside) source static real-ip mapped-ip/interface service real-service mapped-service

2: Once you have translated traffic, you can control access to it using appropriate acls.

In you acl you should use real Ip address of the server behind ASA. To restrict usage to a particular subnet, create an acess control list with an access control entry(ACE) to permit traffic from the allowed subnet to the server. below this ACE create another ACE to deny any traffic from other hosts.

Thanks,

Rishabh Seth

PS: Rate if it helps.

conxservltd
Level 1
Level 1

Hi There,

An easy way to manage this would be to create some object groups and networks to manage the access from device to NAT, and then to apply ACLs to allow and permit certain ports through to source.

To stop access just create an ACL to deny other traffic explicitly, and the ACL will only reference the allow rules.

Let me know if you want this writing out and ill post some more suggestions here.

Hope this helps!

Hi

Thanks for your help. I think I 've got the NAT config lines OK now but writing out some of the ACL entries would be a great help.

Best regards

Chris

Hi Chris,

Sample configuration of ACL in above version 8.3 (For static NAT traffic)

access-list outside_in extended permit tcp any host <Real IP> eq <port number>
access-group outside_in in interface outside

If your ASA version is below 8.3 (For static NAT traffic)

access-list outside_in extended permit tcp any host <mapped IP> eq <port number>
access-group outside_in in interface outside

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: