PAT, NAT and multiple outside IP addresses

simonbilton · ‎01-16-2012

Hi All,

I'm in a sort of "half way house" situation with an ASA running 8.3(1), a range of public IP addresses and a requirement to access many different internal hosts using a series of port forwarding options. I have read (and understand fully) the configs for port forwarding when the outside interface has a single public IP address, and I realise that I can only forward a particular port (say www) to one host internally, and conversely can forward many different ports to many different hosts via the same public IP address.

My confusion come when I have multiple public IP addresses and want to forward (say) www to a particular internal host based on the target public IP address.

For example, my public addresses are 10.1.1.1 and 10.1.1.2, and my inside hosts are 192.168.0.1 and 192.168.0.2 and 192.168.0.3

If www traffic hits 10.1.1.1 I want it to NAT and go to 10.1.1.1 and likewise 10.1.1.2 should NAT to 192.168.0.2

If ftp traffic hits 10.1.1.2 I want it to go to 192.168.0.3

If smtp traffic hits 10.1.1.2 I want it to go to 192.168.0.3

So, the relevant bit sof the config I am trying are like this:-

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.252 (*Note is this correct to start with?)

object network pub1

host 10.1.1.1

object network pub2
host 10.1.1.2

object network serv1

host 192.168.0.1

object network serv2

host 192.168.0.2

object network serv3-ftp

host 192.168.0.3

object network serv3-smtp

host 192.168.0.3

object network serv1

nat (inside,outside) static pub1 service tcp www www

object network serv2

nat (inside,outside) static pub2 service tcp www www

object network serv3-ftp

nat (inside,outside) static pub2 service tcp ftp ftp

object network serv3-smtp

nat (inside,outside) static pub2 service tcp smtp smtp

access-list outside_access_in extended permit tcp any object serv1 eq www

access-list outside_access_in extended permit tcp any object serv2 eq www

access-group outside_access_in in interface outside

This should work, right? Or am I missing something fundamental?

I am perfectly happy with one-to-one static NAT, but I've never tried PAT like this.

The other thing is, it seems that I can get it to work sometimes if add an ACL to the inside interface, but I don't think I should need one?

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

Anybody else done this successfully, got any examples?

Unfortunately it's a bit diffult to test as the unit is remote to me and I have to get oneof the users to do som ereconfiguration on the network out of hours every time I need to try new things.

Any pointers greatly accepted.

Rgds
Simon

ajay chauhan · ‎01-16-2012

Hi,

object network serv1

nat (inside,outside) static pub1 service tcp www www

object network serv2

nat (inside,outside) static pub2 service tcp www www

object network serv3-ftp

nat (inside,outside) static pub2 service tcp ftp ftp

object network serv3-smtp

nat (inside,outside) static pub2 service tcp smtp smtp

access-list outside_access_in extended permit tcp any object serv1 eq www

access-list outside_access_in extended permit tcp any object serv2 eq www

access-group outside_access_in in interface outside

This configuration will do just need to add more statement as per PAT configured.

However /30 on outside interface will give you one IP addess only. Either you should have bigger range to get more IP or static route pointing to outside interface for new range.

Once traffic is allowed from lower security level to higher return traffic will be automatically allowed no need to worry about inside acl.

Thanks

Ajay