Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Best practice for Global Address?

Good Morning,

I am new to Cisco firewalls and would like to know what is the best practice for creating an external ip address and port into my network and then redirecting that to a specific machine.  I am thinking of using a global ip address and then only allowing this type of traffic to talk to the specific destnation and on that specific port.  Is this the correct course of action?  Or os there a better or more effecient way of allowing this process using ADSM.

Troy

Message was edited by: Troy Currence

Everyone's tags (2)
5 REPLIES
Super Bronze

Best practice for Global Address?

Hi,

Basically when you are attempting to allow traffic from the external public network to some of your servers/hosts you will either use Static NAT or Static PAT

Static NAT is when you bind a single public IP address to be used by only one internal host. This is usually the preferred option if you can spare a single public IP address for your server, meaning you probably have a small public subnet from your ISP.

Static PAT is when you only allocate certain ports on your public IP address and map them to a local port on the host. This is usually the option when you only have a single public IP address that is configured on your ASAs external interface. Or perhaps in a situation when you just want to conserver your public IP addresses even though you might have a few of them.

In Static NAT case you configure the Static NAT and use the interface ACL to allow the services you require.

In Static PAT you only create a translation for a specific port/service so only connections to that port are possible. Naturally you will also have to allow those services/ports in the interface ACL just like with Static NAT.

Again if you can spare the public IP addresses then I would go with Static NAT or if you only have a single or few IP addresses you can consider Static PAT (Port Forward) also.

I dont personally use ASDM for configurations but can help you with the required CLI format configurations. These can actually be done through ASDM also from the Tools -> Command Line Interface menus at the top.

Hope this helps

- Jouni

Re: Best practice for Global Address?

Hi,

It depends on which IOS you're running. What's your 'show version'?

Sent from Cisco Technical Support iPad App

Community Member

Best practice for Global Address?

Thanks for the information Jouni anf John. You can tell I am a newbie...

My version is 8.0(3) PIX and ASDM is 6.1 (5)

Super Bronze

Best practice for Global Address?

Hi,

How many public IP addresses do you have at your disposal? Do you only have the one configured on the external interface of the firewall or do you have a small subnet?

If you only have the public IP address configured on the external interface, then you probably need to use Static PAT

Its basic configuration format is

static (inside,outside) tcp interface netmask 255.255.255.255

This would have to be done for each port you need forwarded with Static PAT. The above example is for "tcp", it might as well be "udp"

The above example has the interfaces "inside" and "outside" as they are the most typical ones used. If the interfaces are named differently on your case then you would need to enter the interface interfaces name instead of "inside" and the external interfaces name instead of "outside".

Naturally if you can provide a requirements on what you need to configure then it will be easier to help you.

You can for example get the complete firewall configuration by doing the following

  • Go to the ASDM
  • Go to Tools -menu
  • Go to Command Line Interface
  • Enter the command "show run" and send the command to the device. This should provide the current configuration in the ASDM window you entered the above command.

Naturally dont share any public IP address information in the actual post or any other sensitive information.

- Jouni

Re: Best practice for Global Address?

hi,

if you're not comfy with CLI, you can navigate in ASDM: Configuration > NAT Rules > Add Static NAT Rules

choose the appropriate ingress and egress interface from the drop-down list and input the local and global IP addresses. click apply and send when finished.

181
Views
0
Helpful
5
Replies
CreatePlease to create content