cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
678
Views
0
Helpful
6
Replies

Nat Help Needed

Kevin Cummins
Level 1
Level 1

Hello all,

I need to nat one of my global IPs to an internal IP, and I also need to forward the ports 1720 and 60000-60001 for tcp, and ports 60000-60007 for udp.

(119.x.x.26 address to 192.168.1.100)

Can you please tell me if the config below is correct?

!

ASA Version 8.2(1)

!

hostname Firewall

enable password xxxxxx encrypted

passwd xxxxxx encrypted

names

name 192.168.6.0 GuestVLAN description GuestVLAN

name 192.168.1.0 OfficeLAN

name 192.168.4.0 ServerLAN description ServerGroup

name 192.168.0.0 Internal_LAN

name 192.168.4.16 Exchange

name 192.168.4.10 PrimaryDC

name 192.168.4.12 backupDC

name 192.168.1.40 PBX

name 192.168.1.100 VC

name 192.168.2.0 Internal_switch2

name 192.168.3.0 Internal_switch3

!

interface Ethernet0/0

description HGC_Primary

nameif Outside_0

security-level 0

ip address 119.x.x.x 255.255.255.240 standby 119.x.x.x

!

interface Ethernet0/1

description PCCW_Backup

nameif Outside_1

security-level 0

ip address 204.x.x.x 255.255.255.248 standby 204.x.x.x

!

interface Ethernet0/2

description Internal

nameif Inside

security-level 100

ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 10.x.x.x 255.255.255.0 standby 10.x.x.x

management-only

!

ftp mode passive

clock timezone HKST 8

dns domain-lookup Outside_0

dns server-group DefaultDNS

name-server 212.x.x.x

name-server 204.x.x.x

object-group network WEB

object-group service ExchangeGroup

description For Exchange

service-object tcp eq www

service-object tcp eq https

service-object tcp eq smtp

service-object icmp echo-reply

service-object icmp echo

service-object icmp6 echo

service-object icmp6 echo-reply

object-group network DM_INLINE_NETWORK_1

network-object host 119.x.x.x

network-object host 119.x.x.x

object-group network DM_INLINE_NETWORK_2

network-object host 204.x.x.x

network-object host 204.x.x.x

object-group service PBX-TCP-8000 tcp

port-object eq 8000

object-group service VC_System_tcp tcp

port-object eq 1720

port-object range 60000 60001

object-group service VC_System_udp udp

port-object range 60000 60007

access-list Inside_access_in extended permit icmp any any echo

access-list Inside_access_in extended permit ip Internal_LAN 255.255.0.0 any

access-list Outside_0_access_in extended permit icmp any any echo-reply log

access-list Outside_0_access_in extended permit object-group ExchangeGroup any host 119.x.x.x lo

g

access-list Outside_0_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 eq ntp log

inactive

access-list Outside_0_access_in remark Remote access to PBX

access-list Outside_0_access_in extended permit tcp any host 119.x.x.x object-group PBX-TCP-8000

access-list Outside_0_access_in remark Port Forwarding for VC

access-list Outside_0_access_in extended permit tcp any host 119.x.x.26 object-group VC_System_tcp

access-list Outside_0_access_in extended permit udp any host 119.x.x.26 object-group VC_System_udp

access-list Outside_1_access_in extended permit icmp any any echo-reply log

access-list Outside_1_access_in extended permit object-group ExchangeGroup any host 204.x.x.x l

og

access-list Outside_1_access_in extended permit udp any object-group DM_INLINE_NETWORK_2 eq ntp log

inactive

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit udp any any eq domain

access-list IPSECVPN_splitTunnelAcl standard permit Internal_LAN 255.255.0.0

access-list IPSECVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Internal_LAN 255.255.0.0 192.168.168.0 255.255.2

55.224

pager lines 40

logging enable

logging asdm informational

mtu Outside_0 1500

mtu Outside_1 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN-DHCP 192.168.168.10-192.168.168.20 mask 255.255.255.0

failover

failover lan unit secondary

failover lan interface ASAFW Ethernet0/3

failover key xxxxx

failover link ASAFW Ethernet0/3

failover interface ip ASAFW 10.10.10.1 255.255.255.252 standby 10.10.10.2

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside_0

icmp permit any Outside_1

icmp permit any Inside

no asdm history enable

arp timeout 14400

global (Outside_0) 1 interface

global (Outside_1) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside_0) 119.x.x.x Exchange netmask 255.255.255.255

static (Inside,Outside_1) 204.x.x.x Exchange netmask 255.255.255.255

static (Inside,Outside_0) 119.x.x.x PrimaryDC netmask 255.255.255.255

static (Inside,Outside_1) 204.x.x.x PrimaryDC netmask 255.255.255.255

static (Inside,Outside_0) 119.x.x.x backupDC netmask 255.255.255.255

static (Inside,Inside) 204.x.x.x backupDC netmask 255.255.255.255

static (Inside,Outside_0) 119.x.x.x PBX netmask 255.255.255.255

static (Inside,Outside_0) 119.x.x.26 VC netmask 255.255.255.255

access-group Outside_0_access_in in interface Outside_0

access-group Outside_1_access_in in interface Outside_1

access-group Inside_access_in in interface Inside

route Outside_0 0.0.0.0 0.0.0.0 119.x.x.x 1 track 1

route Outside_1 0.0.0.0 0.0.0.0 204.x.x.x

route Inside OfficeLAN 255.255.255.0 192.168.5.3 1

route Inside Internal_switch2 255.255.255.0 192.168.5.3 1

route Inside Internal_switch3 255.255.255.0 192.168.5.3 1

route Inside ServerLAN 255.255.255.0 192.168.5.3 1

route Inside GuestVLAN 255.255.255.0 192.168.5.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AAAGROUP protocol radius

aaa-server AAAGROUP (Inside) host PrimaryDC

timeout 3

key xxxxxx

aaa-server AAAGROUP (Inside) host backupDC

timeout 5

key xxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http ServerLAN 255.255.255.0 Inside

http OfficeLAN 255.255.255.0 Inside

http 10.0.0.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 Outside_1

http 0.0.0.0 0.0.0.0 Outside_0

http Internal_LAN 255.255.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 212.x.x.x interface Outside_0

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-S

HA ESP-DES-MD5

crypto map Outside_0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_0_map interface Outside_0

crypto map Outside_1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_1_map interface Outside_1

crypto isakmp enable Outside_0

crypto isakmp enable Outside_1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet Internal_LAN 255.255.0.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy IPSECVPN internal

group-policy IPSECVPN attributes

dns-server value 192.168.4.10 192.168.4.12

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value IPSECVPN_splitTunnelAcl

..................................................................................

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

2 Accepted Solutions

Accepted Solutions

pstebner10
Level 1
Level 1

Kevin-

The static looks fine for regular NAT, and you have allowed the correct UDP and TCP ports through the Outside_0 interface with your Outside_0_access_in ACL. However this is not true port-forwarding/port-redirection. What are your requirements for access to this node?

For true port-redirection you can take a look at the static PAT example in this doc:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html

Paul

View solution in original post

Kevin-

Are you tracing from the outside in? Let me know how you set the packet tracer and what exact message it is giving you - the tracer will tell you that the packet was dropped to to an ACL or due to a NAT rule, etc.

Paul

View solution in original post

6 Replies 6

pstebner10
Level 1
Level 1

Kevin-

The static looks fine for regular NAT, and you have allowed the correct UDP and TCP ports through the Outside_0 interface with your Outside_0_access_in ACL. However this is not true port-forwarding/port-redirection. What are your requirements for access to this node?

For true port-redirection you can take a look at the static PAT example in this doc:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html

Paul

Hello Paul,

Thank you for your reply.

We are putting in a new Video Conferencing system and the instructions specify that if we put the system on the internal LAN, we should forward those particular ports for tcp and udp.

So I thought that since we had available/free Public IP addresses, I would try a 1-to-1 NAT and just make sure those ports were open via ACL.

Is this wrong? Should I switch to a static PAT?

Kevin-

I don't think that you need to change anything. Have you had a chance to try out the new system yet?

Paul

Paul-

Not yet. The new system comes in next Monday.

I was just wondering because whenever I try packet tracer from the CLI it shows that the packet is dropped.

(It may be a case of me incorrectly using the packet-tracer command)

Anyway, we'll know if it works or not on Monday. I may need to ask you again if it fails.

Again, Thanks for the help.

Kevin-

Are you tracing from the outside in? Let me know how you set the packet tracer and what exact message it is giving you - the tracer will tell you that the packet was dropped to to an ACL or due to a NAT rule, etc.

Paul

Thanks Paul,

Config was correct.

I still couldn't get packet-tracer to work properly, but it's ok.

Thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: