cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
0
Helpful
5
Replies

Cisco ASA 9.1 NAT

Roger Base
Level 1
Level 1

Hii.

I got issue regarding ASA 9.1 NAT. I have 3 networks on 3 dedicated interfaces. I want to give internet access via WAN interface only on port 80 and 443 for those 3 networks. I also want to access some services (443, DNS, GRE etc..) on specific machines  (10.10.10.5, 10.10.11.3) on my A network and B network from the Internet via my wan IP. How can make rules based on these requirements?

interface GigabitEthernet0/0.571
 WAN
 vlan 571
  security-level 10
 ip address XX.XX.XX.XX
!

interface GigabitEthernet0/1
A NETWORK
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
B NETWORK
 security-level 50
 ip address 192.168.0.1 255.255.0.0
!
interface GigabitEthernet0/3
C NETWORK
 security-level 50
 ip address 10.10.11.1 255.255.255.0
!

 

 

5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

For the requirement of allowing the Outbound access for these Networks to the internet on these ports:- 80 and 443 , you can apply three interface NAT statements and allow only specific port 80 and 443 traffic through the ASA device using the access rule on the inside interface for the outbound traffic.

For Ex:-

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

nat (A NETWORK,WAN) dynamic interface

access-list Anetwrok-WAN permit tcp any any eq 443

access-list Anetwrok-WAN permit tcp any any eq 80 [NOTE:- You might also want to allow DNS thorugh as that would be required for the internet access]

access-group Anetwrok-WAN in interface A Network

Do the same for the other 2 Networks.

For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.

Something like this:-

object network obj-10.10.10.5

host 10.10.10.5

nat (Anetwork,WAN) static interface service tcp 443 443

Check this for more information:-

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Thanks and Regards,

Vibhor Amrodia

Hi.

The NAT line can only handle 1 port. But I want to open around 10 ports for one host. Is there better way to do than your example below?

For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.

Something like this:-

object network obj-10.10.10.5

host 10.10.10.5

nat (Anetwork,WAN) static interface service tcp 443 443

Check this for more information:-

Hi,

If you have a separate Public IP available , then you can use a staic NAT otherwise , you would have to use Multiple Static Pat statements for multiple ports on the ASA device.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

 

Thanks for quick response. I only have 1 public address. Can you show me a example for if I want to PAT 443,80,123,53,GRE,389,8080,4045,4302,4222 for client 10.10.10.11 from the WAN --> C-.NETWORK?

 

Is this the best way to do it?

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 443 443

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 389 389

object network obj-10.10.10.11

host 10.10.10.11

nat (Anetwork,WAN) static interface service tcp 4302 4302

etc..

etc..

Hi,

In case you have a single IP address for NAT , this would be the only way of configuring it on the ASA device.

Thanks and Regards,

Vibhor Amrodia
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: