Access rule and NAT

Nimika123 · ‎01-09-2014

I have cisco ASA 5510 and am using ASDM

I am new to ASA and am trying t understand on what to do for the below

1. I have public ip 4.79.205.89 ---------> FW------> 192.168.10.1 ( Apool interface )

for this to work would i need an Access rule and NAT rule both ? i need to open up the port for tcp. If something is being sent out of 192.168.10.1 i need to do NAT to 4.79.205.89

i have 2 interface external and Apool (192.168.10) and spool 192.168.30 network

a) NAT rule will be for interface Apool correct? is the static NAT 2 way ? meaning

how the traffic comming from outside knows that it will need to go to 192.168.10.1

if i set the NAT rule below it seems that whatever is sent from 192.168.10.1 the ip needs to translate to 4.79.205.89 but how does it know that the traffic from outside sent to 4.79.205.89 needs to go to 192.168.10.1

interface: App pool

source: 192.168.10.1

Translated:

interface: external

destinition: 4.79.205.89

b) how do i allow traffic from public ip to communicate with 192.168.10 which is behind FW

I added Acceses rule for interface external

Action:permit

source:any

destinition:4.79.205.89

port:tcp

Thanks

Sagar

Jon Marshall · ‎01-09-2014

Sagar

What exactly is the TCP port you need to allow ie. what application is on 192.168.10.1 that you want to allow access to from the internet.

Do you have access-list configured on any interfaces already ?

What version of software are you using ?

Jon

Nimika123 · ‎01-09-2014

Hi I am using ASDM 6.2 i need to enable ssh port 22 it is an sftp server

Jon Marshall · ‎01-09-2014

Sagar

Unfortunately i'm not familiar with ASDM. Attached is the config guide for ASDM for setting up static NAT -

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html#wp1072634

you would also need to add a rule to the acl applied to your outside interface (assuming you have one) to allow the traffic.

If you are happy to use the CLI i can supply the actual commands. If you want to do this can you post your current config or tell me which version of software is running on the ASA.

Jon

Nimika123 · ‎01-09-2014

Hi Here is the show version

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(5)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

oshac5510fw up 247 days 1 hour

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 512MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Jon Marshall · ‎01-09-2014

Sagar

static (inside,outside) tcp 4.79.205.89 22 192.168.10.1 22

access-list outside_in permit tcp any host 4.79.205.89 eq ssh

couple of points -

1) i have assumed that 192.168.10.1 is reachable from the inside interface

2) if you already have an acl applied to the outside interface then change the name of the acl in the above. If you don't have an acl applied to the outside interface you need to add this additional command -

access-group outside_in in interface outside

Jon

jimsmith · ‎12-09-2018

If you add another ethernet interface, let's say a USB one, and manually configure it with an IP, say 192.168.10.1 - check this link, the same thing happens above with free routes. Assumne you assigned the USB ethernet adapter 192.168.10.1 with subnet mask /24 (or 255.255.255.0).

Kasun Bandara · ‎12-10-2018

Hi,

you need to have a port forward NAT rule and ACL for this. hope below link help with it.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html#pat

good luck

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB