Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

multiple inside hosts to a single external ip

Hello,

We have a new time clock service and have a few users that need to be able to remotely clock in to this service, the site's security system need to be able to see a publicly accessible ip, but I have limited public ip's left and I won't be able to nat them all 1 to 1, so is there a way to make this happen on the ASA, have multiple internal hosts nat'd or mapped to a single external ip. Any ideas or pointers would be great.

 

thanks,

Carlo

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

You could do something like

You could do something like the following:

object service PORT
 service udp destination eq ntp


object-group network SERVERS
 network-object host 1.1.1.2
 network-object host 1.1.1.3
 network-object host 1.1.1.4
 network-object host 1.1.1.5

nat (inside,outside) source static SERVERS interface service PORT PORT

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
7 REPLIES
Cisco Employee

Hello Carlo,This sounds like

Hello Carlo,

This sounds like you need a port forwarding. If your clock works with port 123/UDP you can create a NAT rule to NAT that port to a Public IP even if the IP has been used on another static translation (This applies to 1 to 1 translations).

As you know this is going to overlap however its possible and the firewall can map that single PORT from the public IP to the private IP of the server.

This file has examples of NAT on code pre 8.3 and post:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

This is an example how the configuration will look on code 8.2

static (inside,outside) A.A.A.A X.X.X.X netmask 255.255.255.255

static (inside,outside) udp A.A.A.A 123 B.B.B.B 123 netmask 255.255.255.255

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html

Hope you find this information helpful.

 

 

New Member

I don't know what the port is

I don't know what the port is, we login through the web, and looks like the site controls the access, cause when I logged in from a internal ip that's not nat'd to an outside it failed to login.

New Member

Hi Jose, do you have any

Hi Jose, do you have any sample code or docs for v9.1, looks like the site is port 80 but then it goes to https for the login to the time clock system. I need to get a few clients to be able to nat to a single ip externally so they can clock in to this site. Any pointers would be great

New Member

Yes, you can NAT all of the

Yes, you can NAT all of the users behind a single IP or even use the interface IP of the egress interface.  What version of code are you running on your ASA?  The newer versions of code allows you to use a pool which doesn't require each host to have a unique external IP.
 

New Member

Thanks for the reply, I'm on

Thanks for the reply, I'm on v9.1

VIP Green

You could do something like

You could do something like the following:

object service PORT
 service udp destination eq ntp


object-group network SERVERS
 network-object host 1.1.1.2
 network-object host 1.1.1.3
 network-object host 1.1.1.4
 network-object host 1.1.1.5

nat (inside,outside) source static SERVERS interface service PORT PORT

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
New Member

Thanks for the reply Marius,

Thanks for the reply Marius, somehow I think the time clock site's admins may have done something cause it works now for anyone inside our network without me doing anything on the ASA, I'll keep the code handy for future needs, thanks again.

91
Views
0
Helpful
7
Replies
CreatePlease login to create content