Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT problem

Hi,

 

I'm stuck, here is what i need:

host1: 192.168.1.1 service tcp/443>>>>> public ip 1.1.1.1 service tcp/443

host1: 192.168.1.1 service tcp/80>>>>> public ip 1.1.1.1 service tcp/80

host2: 192.168.1.2 service tcp/22 >>>>> public ip 1.1.1.1 service tcp/22

host2: 192.168.1.2 service tcp/25 >>>>> public ip 1.1.1.1 service tcp/25

 

So people from remote just need to use 1.1.1.1 public ip to access all the ports on two different inside devices.

 

I will also need port 80 and 22 for other access through/to the firewall, such as ssh to manage it and i have a web page on a different public ip.

 

I am using an ASA 5540 with software 8.4(3). 

 

Any help would be appreaciated.

Thanks

Everyone's tags (1)
2 REPLIES

Here's one way to do it.

Here's one way to do it. Create the objects and create the NAT mappings.

object network host1_tcp443

host 192.168.1.1
nat (inside,outside) static interface service tcp 443 443

object network host1_tcp80
host 192.168.1.1
 nat (inside,outside) static interface service tcp 80 80

object network host2_tcp22
host 192.168.1.2
 nat (inside,outside) static interface service tcp 22 22

object network host2_tcp25
host 192.168.1.2
 nat (inside,outside) static interface service tcp 25 25

 

access-list outside_in extended permit tcp any host 192.168.1.1 eq 443
access-list outside_in extended permit tcp any host 192.168.1.1 eq 80
access-list outside_in extended permit tcp any host 192.168.1.2 eq 22
access-list outside_in extended permit tcp any host 192.168.1.2 eq 25

access-group outside_in in interface outside

Service NAT mappings are done via protocol, then the REAL port, then the NAT port. So if you wanted to open up port 4343 to port 443 internally your NAT would be static interface service tcp 443 4343

 

If you want to be able to SSH to the firewall for management you are going to have to use a different port for SSH on the public IP, maybe 2222 and NAT that to 22 internally using the example in the paragraph above. 

To do another public IP to another web server you would just create the object, and the nat rule would be nat (inside,outside) static 2.2.2.2 or whatever other public IP  you have.

VIP Green

Just to add to what John has

Just to add to what John has already mentions.

The commands to allow for SSH are the following:

 

hostname ASA-1

crypto key generate rsa modulus 2048

ssh 172.16.16.0 255.255.255.0 inside

aaa authentication ssh console LOCAL

username cisco password cisco

enable password cisco123

 

There is no option to actually change the port for SSH.  The ASA should recognize that this is to the box traffic so it should not be affected

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
30
Views
0
Helpful
2
Replies