Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT / PAT - ASA 8.2

Hi

I have problems figuring out how to make a simple port translation/forwarding on an ASA 5505 firewall running 8.2

The firewall has several inside networks and an outside ip which it sourcenats traffic through.

The goal is that when ANY outside IP to reach the firewall outside IP lets say 123.123.123.1 on port 10000 for example,  then it should be forwarded to an inside IP address lets say 10.10.10.2 port 80.

How is this done in ASDM gui ? how is it done CLI ?

Should be simple, but i just cant figure it out.

Simon

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: NAT / PAT - ASA 8.2

you can find this on the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html#wp1071777

First you just need a static-command:

static (inside,outside) tcp 123.123.123.123 10000 10.10.10.2 80 netmask 255.255.255.255

And of course the traffic has to be allowed by the interface-ACL.

It could be also configured in ASDM which is a little bit harder to explain. The ASDM-Guide is here:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Or you configure it on the CLI and later look at the ASDM for the results.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

6 REPLIES
VIP Purple

Re: NAT / PAT - ASA 8.2

you can find this on the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html#wp1071777

First you just need a static-command:

static (inside,outside) tcp 123.123.123.123 10000 10.10.10.2 80 netmask 255.255.255.255

And of course the traffic has to be allowed by the interface-ACL.

It could be also configured in ASDM which is a little bit harder to explain. The ASDM-Guide is here:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Or you configure it on the CLI and later look at the ASDM for the results.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

NAT / PAT - ASA 8.2

in your static statement the "inside" is refering to the "external" interface and vise versa right?

VIP Purple

NAT / PAT - ASA 8.2

"inside" is the interface where your internal server 10.10.10.2 is located. "outside" is the inteface where you connect to the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

NAT / PAT - ASA 8.2

Im sorry. Ofcourse its the internal (real_interface). The GUI isnt very helpful, i had to try several, in my eyes, wrong configurations to get the correct result CLI wise.

Anyway it is still not working.

I gave any outside connection permit to outside IP interface port 10000. Do i need more ACL since the final destination is the internal interface?

The internal interface isnt terminated on the ASA firewall. It is learned by OSPF. Could this be a problem ?

Simon

VIP Purple

Re: NAT / PAT - ASA 8.2

I gave any outside connection permit to outside IP interface port 10000. Do i need more ACL since the final destination is the internal interface?

no, a statement like

permit tcp any host 123.123.123.123 eq 10000

is enough.

The internal interface isnt terminated on the ASA firewall. It is learned by OSPF. Could this be a problem ?

you only need reachability from the ASA to the server. And if the ASA reaches the server through interface inside, the answers from that server also have to come back through this interface.

try the packet-tracer and post the result:

packet-tracer input outside tcp 1.2.3.4 1234 123.123.123.123 10000

The GUI isnt very helpful, i had to try several, in my eyes, wrong configurations to get the correct result CLI wise

yes, the GUI for NAT is really bad, even on the newer versions. On CLI things are much more clearer if you know the syntax.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

NAT / PAT - ASA 8.2

Hello

I found out why it didnt work.

The packet trace failed on reverse path check but it doesnt give very detailed information on why.

It was a mix of multiple internal interfaces and a NAT exempt rule to the same internal network.

Thank you for your help!

790
Views
0
Helpful
6
Replies
CreatePlease to create content