Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 9.1 NAT

Hii.

I got issue regarding ASA 9.1 NAT. I have 3 networks on 3 dedicated interfaces. I want to give internet access via WAN interface only on port 80 and 443 for those 3 networks. I also want to access some services (443, DNS, GRE etc..) on specific machines  (10.10.10.5, 10.10.11.3) on my A network and B network from the Internet via my wan IP. How can make rules based on these requirements?

interface GigabitEthernet0/0.571
 WAN
 vlan 571
  security-level 10
 ip address XX.XX.XX.XX
!

interface GigabitEthernet0/1
A NETWORK
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
B NETWORK
 security-level 50
 ip address 192.168.0.1 255.255.0.0
!
interface GigabitEthernet0/3
C NETWORK
 security-level 50
 ip address 10.10.11.1 255.255.255.0
!

 

 

Everyone's tags (1)
5 REPLIES
Cisco Employee

Hi,For the requirement of

Hi,

For the requirement of allowing the Outbound access for these Networks to the internet on these ports:- 80 and 443 , you can apply three interface NAT statements and allow only specific port 80 and 443 traffic through the ASA device using the access rule on the inside interface for the outbound traffic.

For Ex:-

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

nat (A NETWORK,WAN) dynamic interface

access-list Anetwrok-WAN permit tcp any any eq 443

access-list Anetwrok-WAN permit tcp any any eq 80 [NOTE:- You might also want to allow DNS thorugh as that would be required for the internet access]

access-group Anetwrok-WAN in interface A Network

Do the same for the other 2 Networks.

For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.

Something like this:-

object network obj-10.10.10.5

host 10.10.10.5

nat (Anetwork,WAN) static interface service tcp 443 443

Check this for more information:-

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Thanks and Regards,

Vibhor Amrodia

New Member

Hi.The NAT line can only

Hi.

The NAT line can only handle 1 port. But I want to open around 10 ports for one host. Is there better way to do than your example below?

For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.

Something like this:-

object network obj-10.10.10.5

host 10.10.10.5

nat (Anetwork,WAN) static interface service tcp 443 443

Check this for more information:-

Cisco Employee

Hi,If you have a separate

Hi,

If you have a separate Public IP available , then you can use a staic NAT otherwise , you would have to use Multiple Static Pat statements for multiple ports on the ASA device.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi Vibhor, Thanks for quick

Hi Vibhor,

 

Thanks for quick response. I only have 1 public address. Can you show me a example for if I want to PAT 443,80,123,53,GRE,389,8080,4045,4302,4222 for client 10.10.10.11 from the WAN --> C-.NETWORK?

 

Is this the best way to do it?

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 443 443

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 389 389

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 4302 4302

etc..

etc..

Cisco Employee

Hi,In case you have a single

Hi,

In case you have a single IP address for NAT , this would be the only way of configuring it on the ASA device.

Thanks and Regards,

Vibhor Amrodia
 

178
Views
0
Helpful
5
Replies