Announcement

Collapse
No announcement yet.

NAT Rules

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NAT Rules

    Hi

    I am very new to Cisco ASA 5510 Firewall. I tried configuring the access rules i need but i was unable to succeed in a few. I am mentioning the problem below.


    I have only one global ip 200.166.100.227

    I have 2 zones in my internal area

    Zone 1:
    Gateway : 192.168.3.1
    Host : 192.168.3.100
    Open Ports : 80, 443, 22, 21

    Zone 2:
    Gateway : 192.168.4.1
    Host : 192.168.4.100
    Open Ports : All Video conferencing ports


    Trying to achieve :

    1. Whenever someone from outside connects to the global ip
    "200.166.100.227" on specific ports ( 80, 443, 22, 21),
    request should be forwarded to 192.168.3.100.

    2. Whenever someone from outside connects to the global ip "200.166.100.227"
    on the Video Conferencing ports (there are a series of diffrents ports) , request
    should be forwarded to 192.168.4.100

    I tried using policy NAT and it was a failure. Can anyone please help me in achieving the same?

    Thanks & Regards,
    Biiju

  • #2
    Re: NAT Rules

    You can use statics (assuming your inside is setup correctly).

    static (inside,outside) tcp 200.166.100.227 80 192.168.3.100 80

    then an access list to allow the traffic initiated from the outside

    access-list inbound_on_outside permit tcp any host 200.166.100.227 eq 80

    and finally the access-group to bind it to an interface

    access-group inbound_on_outside in interface outside



    Not sure on your video ports but they will work the same way. Therefore:

    static (inside,outside) tcp 200.166.100.227 80 192.168.3.100 80
    static (inside,outside) tcp 200.166.100.227 443 192.168.3.100 443
    static (inside,outside) tcp 200.166.100.227 22 192.168.3.100 22
    static (inside,outside) tcp 200.166.100.227 21 192.168.3.100 21

    access-list inbound_on_outside permit tcp any host 200.166.100.227 eq 80
    access-list inbound_on_outside permit tcp any host 200.166.100.227 eq 443
    access-list inbound_on_outside permit tcp any host 200.166.100.227 eq 22
    access-list inbound_on_outside permit tcp any host 200.166.100.227 eq 21
    access-group inbound_on_outside in interface outside



    Plus of course the video ones to the other IP.
    Note: I have assumed you only wanted TCP for these ports.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: NAT Rules

      Hi Andy,

      Thanks a lot for the help. I am able to succeed on what you suggested by redirecting the ports one by one (By specifying "one by one" I meant a separate rule for redirecting each port) . In the first case i am very much happy to do the same since there are only a few ports.

      The actual problem is regarding the video ports. It has both TCP and UDP ports. Of course I can do those too One by one. But since there are many ports (I meant a range of different ports, both UDP and TCP), it is really a pain to specify each port as a separate rule.

      So is there any way to specify all these ports (TCP and UDP separately or together) in a single NAT Rule? or else i think I will have to buy one more public IP . Please let me know your thoughts.

      Thanks & Regards,
      Biju

      Comment


      • #4
        Re: NAT Rules


        Yes of course you can.
        Have a look at the object-group bits

        http://www.cisco.com/en/US/products/...800d641d.shtml
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: NAT Rules

          Hi Andy,

          I went through the docs. I have object groups for network and services.
          Is it possible to specify this "object-group" in a static NAT rule?

          Regards
          Biju

          Comment


          • #6
            Re: NAT Rules

            Hmm.. need to think about this.

            Statics are here:
            http://www.cisco.com/en/US/docs/secu...html#wp1348790

            Static NAT Examples
            For example, the following policy static NAT example shows a single real address that is translated to two mapped addresses depending on the destination address:

            hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224

            hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
            255.255.255.224

            hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1

            hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2

            So maybe we can use an acl for the group and then allow the static that way?
            Never tried this and I haven't got an ASA to hand to test with.

            Anyone else got thoughts?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment

            Working...
            X