Solved: Nat Doubt - ASA 8.4

Thiago Cella · ‎12-04-2011

Hi,

I have an ASA 8.4 with this scenario:

My Video conference LAN- IP 192.168.1.10 /24 -------- My wan 1.1.1.1 /29

Supose that i have to configure the IP 192.168.1.10 to use the IP 1.1.1.2 / 29 , to external world acess my video conference, how can i create a NAT using the follow ports?

object-group service VIDEO_CONF_PORTS

service-object tcp destination range ftp telnet

service-object tcp destination range 1718 1719

service-object tcp destination eq sip

service-object tcp destination eq h323

service-object udp destination range 2326 2485

service-object tcp destination range 1718 h323

service-object tcp destination eq www

Tks

Julio Carvajal · ‎12-04-2011

Hello Thiago

Great to hear that I have understood your request. Now you will need to create a object service for each port you need to translate.

For example:

lets discuss the the Port range from ftp to telnet

Object service Test1

service tcp source range ftp telnet

Now lets create the http service object

Object service HTTP_80

service tcp source eq 80

You will need to do the same thing with all the ports you need to allow inbound connection.

Now the nat statements:

nat (inside,outside) source static Video_Lan Outside_Ip service Test1 Test1

nat (inside,outside) source static Video_Lan Outside_Ip service HTTP_80 HTTP_80

Note: Here is the thing you can create a object group service with all the ports you need for the ACL.

Object-group service All_the_ports_in

port-object eq ftp

port-object eq http

and keep going....

Then just add the ACL :

access-list outside_in permit tcp any host Video_Lan object-group All_the_ports_in

Please rate helpful posts...

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-04-2011

Hello Thiago,

So you want the outside users to access 1.1.1.2 and be redirected to 192.168.1.10 on those particular ports right?

So the nat statement would be like this:

Object network Video_Lan

host 192.168.1.10

Object network Outside_Ip

host 1.1.1.2

Object servive Ports_Open

service-object tcp source range ftp telnet

service-object tcp source range 1718 1719

service-object tcp source eq sip

service-object tcp source eq h323

service-object udp sourcerange 2326 2485

service-object tcp source range 1718 h323

service-object tcp source eq www

Nat (inside,outside) source static Video_Lan Outside_Ip service Ports_Open Ports_Open

Remember that you also need the ACL on the outside interface pointing to the real Ip addresses right not to the natted IP addresses in this case pointing to 192.168.1.10 on those particular ports you wrote down.

Your question was not clear enough and based on what I have understood I have answered this question, please let me know if this is what you are looking for, if not please be more specific.

By the way here is one link that will help you when you are setting up some nat statements on 8.3 or prior:

https://supportforums.cisco.com/docs/DOC-9129

Please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thiago Cella · ‎12-04-2011

Tks jcarvaja ,

Yes you understood that i need, but when i insert the follow command the ASA says that :

asa(config)# object service test

asa(config-service-object)# ser

asa(config-service-object)# service-

asaf(config-service-object)# service-?

configure mode commands/options:

service-policy

Inside the object service there isn´t the command service-object , just service, if i insert these command :

service tcp source range ftp telnet

service tcp source range 1718 1719

service tcp source eq sip

service tcp source eq h323

service udp sourcerange 2326 2485

service tcp source range 1718 h323

service tcp source eq www

Asa always keep just the last command, :

asa# show running-config object

object service test

service tcp source eq www

Julio Carvajal · ‎12-04-2011

Hello Thiago

Great to hear that I have understood your request. Now you will need to create a object service for each port you need to translate.

For example:

lets discuss the the Port range from ftp to telnet

Object service Test1

service tcp source range ftp telnet

Now lets create the http service object

Object service HTTP_80

service tcp source eq 80

You will need to do the same thing with all the ports you need to allow inbound connection.

Now the nat statements:

nat (inside,outside) source static Video_Lan Outside_Ip service Test1 Test1

nat (inside,outside) source static Video_Lan Outside_Ip service HTTP_80 HTTP_80

Note: Here is the thing you can create a object group service with all the ports you need for the ACL.

Object-group service All_the_ports_in

port-object eq ftp

port-object eq http

and keep going....

Then just add the ACL :

access-list outside_in permit tcp any host Video_Lan object-group All_the_ports_in

Please rate helpful posts...

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thiago Cella · ‎12-07-2011

Tks, Worked !

But there is no way to apply the all ports in one NAT ?

Tks

Julio Carvajal · ‎12-07-2011

Hello Thiago,

I am glad it worked, I have tried on my lab and the result was unsuccesful ( It did not allow me to use an object-group service on the nat) so you will need to do it one by one.

Regards,

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thiago Cella · ‎12-08-2011

Ok

TkS!

clin · ‎03-01-2012

hi jcarvaja

can you advise why there is "source" key word defined in object service ?

service tcp source range ftp telnet

i'm confusing the different between "source" and "destination"

thanks a lot !