10-30-2014 05:53 AM - edited 03-11-2019 10:00 PM
Hii.
I got issue regarding ASA 9.1 NAT. I have 3 networks on 3 dedicated interfaces. I want to give internet access via WAN interface only on port 80 and 443 for those 3 networks. I also want to access some services (443, DNS, GRE etc..) on specific machines (10.10.10.5, 10.10.11.3) on my A network and B network from the Internet via my wan IP. How can make rules based on these requirements?
interface GigabitEthernet0/0.571
WAN
vlan 571
security-level 10
ip address XX.XX.XX.XX
!
interface GigabitEthernet0/1
A NETWORK
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
B NETWORK
security-level 50
ip address 192.168.0.1 255.255.0.0
!
interface GigabitEthernet0/3
C NETWORK
security-level 50
ip address 10.10.11.1 255.255.255.0
!
10-30-2014 07:58 PM
Hi,
For the requirement of allowing the Outbound access for these Networks to the internet on these ports:- 80 and 443 , you can apply three interface NAT statements and allow only specific port 80 and 443 traffic through the ASA device using the access rule on the inside interface for the outbound traffic.
For Ex:-
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
nat (A NETWORK,WAN) dynamic interface
access-list Anetwrok-WAN permit tcp any any eq 443
access-list Anetwrok-WAN permit tcp any any eq 80 [NOTE:- You might also want to allow DNS thorugh as that would be required for the internet access]
access-group Anetwrok-WAN in interface A Network
Do the same for the other 2 Networks.
For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.
Something like this:-
object network obj-10.10.10.5
host 10.10.10.5
nat (Anetwork,WAN) static interface service tcp 443 443
Check this for more information:-
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Thanks and Regards,
Vibhor Amrodia
10-31-2014 02:06 AM
Hi.
The NAT line can only handle 1 port. But I want to open around 10 ports for one host. Is there better way to do than your example below?
For the access from the WAN to the Internal Hosts , you can use Static PAT for this purpose.
Something like this:-
object network obj-10.10.10.5
host 10.10.10.5
nat (Anetwork,WAN) static interface service tcp 443 443
Check this for more information:-
10-31-2014 02:15 AM
Hi,
If you have a separate Public IP available , then you can use a staic NAT otherwise , you would have to use Multiple Static Pat statements for multiple ports on the ASA device.
Thanks and Regards,
Vibhor Amrodia
10-31-2014 02:55 AM
Hi Vibhor,
Thanks for quick response. I only have 1 public address. Can you show me a example for if I want to PAT 443,80,123,53,GRE,389,8080,4045,4302,4222 for client 10.10.10.11 from the WAN --> C-.NETWORK?
Is this the best way to do it?
object network obj-10.10.10.11
host 10.10.10.11
nat (Anetwork,WAN) static interface service tcp 443 443
object network obj-10.10.10.11
host 10.10.10.11
nat (Anetwork,WAN) static interface service tcp 389 389
object network obj-10.10.10.11
host 10.10.10.11
nat (Anetwork,WAN) static interface service tcp 4302 4302
etc..
etc..
10-31-2014 09:42 PM
Hi,
In case you have a single IP address for NAT , this would be the only way of configuring it on the ASA device.
Thanks and Regards,
Vibhor Amrodia
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: