ASA and PAT

James Hoggard · ‎10-16-2014

Hi,

There are 2 things I would like to ask.

1st - my understanding of PAT ( port address translation ) if I have 1 public IP address lets say 1.1.1.1 for example and have 3 internal servers 192.168.1.1 .2 and .3 can I use the same public IP to map different services E.G 3389 to 192.168.1.1 443 to 1.2 80 to 1.3 using the 1 public IP?

The one thing I'm guessing that can't be done on 1 public IP is map the same service to multiple servers so 3389 to 192.168.1.1 .2 and .3?

Please confirm?

Thanks.

david-swope · ‎10-16-2014

You are correct, we cannot use PAT in that manner. We need to have static NAT to allow a user from the outside to reach a specific machine (i.e., 192.168.1.2:3389).

We use PAT to conserve our Public IP Range/s.

PAT would be

object network Inside

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Now when any client on the Inside (192.168.1.0/24) tries to get to the Internet, they will be PAT to the outside IP of the ASA.

Static NAT would be

object network PublicIP

host 108.1.1.252

object network RDP-Server1

host 192.168.1.2

nat (inside,outside) static PublicIP service tcp 3389 3389

James Hoggard · ‎10-16-2014

So I can do what I said first as in map 1 public IP to multiple internal as long as there on different ports?

Vibhor Amrodia · ‎10-17-2014

Hi,

Yes , you are correct.

For Ex:-

If you have 3 Server and 1 Public IP:-

LAN IP:- 10.1.1.1 , 10.1.1.2 and 10.1.1.3

Public IP:- 2.2.2.2

You can do something like this:-

object network RDP-Server1

host 10.1.1.1

nat (inside,outside) static PublicIP service tcp 3389 3389

object network RDP-Server2

host 10.1.1.2

nat (inside,outside) static PublicIP service tcp 3389 3390

object network RDP-Server3

host 10.1.1.3

nat (inside,outside) static PublicIP service tcp 3389 3391

Thanks and Regards,

Vibhor Amrodia