Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT outside to inside and inside to outside (in 8.4(2) version)

Thanks a lot and i attached a diagram here

Requirement:

need to pass through traffic from outside to inside and inside to outside.

 

I also attached a diagram with the ip 

and also tell me one thing that natting is only for private to public or public to private.

 

Navaz
  • Firewalling
17 REPLIES
Cisco Employee

Hi,I think i replied on your

Hi,

I think i replied on your post earlier as well.

As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).

For Bidirectional traffic , you always need static NAT

When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.

For the Inside to Outside Traffic , you can use this NAT:-

object network LAN

subnet 0 0

nat (inside,outside) dynamic interface

FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers

For this , you can either use , Static PAT/NAT:-

object network host

host 10.10.10.10

nat (inside,Outside) static interface service tcp 3389 3389

access-list outside_inside permit tcp any host 10.10.10.10 eq 3389

This will enable you to take the RDP access for your PC from the internet.

Is this what you want ?

Thanks and Regards,

Vibhor Amrodia

New Member

Thanks VibhorAttached updated

Thanks Vibhor

Attached updated diagram

1. In this diagram dmz server having ip 10.1.1.103/24 is the proxy server for the internet on LAN users and i need only https or http trafice allow from the dmz server.

2. For outlook of the lan user need to allow from inside to outside only microsoft outlook traffice.

and ASA Version 8.2(5)

These two are the requirement.

Thanks

 

Navaz
Cisco Employee

Hi,As per your requirements:

Hi,

As per your requirements:-

1) You can restrict the traffic using the interface ACL's and only allow 80 and 443 traffic through the ASA device. This you can apply on the DMZ interface.

2) For this , i think you might need to port forward 443 and 25 Port from the Public IP to the Microsoft Server or you can also apply a one-one NAT on the ASA device and allow the ACL on the outside interface.

Let me know if you have any other queries.

Thanks and Regards,

Vibhor Amrodia

New Member

Please define the

Please define the configuration of these two points.

 

Thanks 

 

Navaz
Cisco Employee

Hi,1) access-list DMZ-To

Hi,

1) access-list DMZ-To-outside permit tcp any any eq 80

access-list DMZ-To-outside permit tcp any any eq 443

access-list DMZ-To-outside deny ip any any

2) object network Outlook

host <Private IP>

nat (inside,outside) static interface service tcp 25 25

object network Outlook-Https

host <Private IP>

nat (inside,outside) static interface service tcp 443 443

Thanks and Regards,

Vibhor Amrodia

 

New Member

It gives error ACTIVE(config)

It gives error

 

ACTIVE(config)# host 172.16.20.42             
ERROR: Invalid hostname: '172.16.20.42'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.

ACTIVE(config)# 

Navaz
Cisco Employee

Hi,You don't have to exit out

Hi,

You don't have to exit out of the object sub configuration.

ACTIVE(config-obj)# host 172.16.20.42

ACTIVE(config-obj)# nat (inside,outside) static interface service tcp 443 443

Thanks and Regards,

Vibhor Amrodia

New Member

Now got this error ACTIVE

Now got this error

 

ACTIVE(config)# object network Outlook        
ACTIVE(config-network)# host 172.16.20.42     
ERROR: Invalid hostname: '172.16.20.42'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ACTIVE(config)# 

Navaz
Cisco Employee

Hi,Which version are you

Hi,

Which version are you using on the ASA device ?

This should like this:-

ciscoasa(config)# object network outlook
ciscoasa(config-network-object)# host 172.16.20.42
ciscoasa(config-network-object)#

Thanks and Regards,

Vibhor Amrodia

340
Views
0
Helpful
17
Replies
This widget could not be displayed.