msgbartop
msgbarbottom

22 May 13 ASA 8.4 NAT with specific ports

Cisco ASA NAT specific ports TCP/UDP Version 8.4

So we all are pretty much used to the new Cisco ASA 8.3+ NAT, Auto NAT and Twice NAT. I am writing this article on, “how to NAT single or multiple specific ports to a single Public IP address”. When and why would you want to do this? Well some companies can’t afford to have a huge range of Public IP addresses and/or they might be running out or they have way to many internal servers/resources. Using this method Public IP’s can be conserved and can be used for multiple internal resources instead of just one.

Scenario 1

First let me give you an example if you just want to simply NAT an internal IP to a Public IP on Cisco ASA running version 8.4. Example, we have an internal IP of 10.1.1.10 and Public IP of 1.1.1.1:

object network obj-10.1.1.10
host 10.1.1.10
nat (inside,outside) static 1.1.1.1

That is it now you can create an access list for the specific need you have for that server lets say people from the outside need to access it over 443:

access-list outside_in extended permit tcp any gt 1024 host 10.1.1.10 eq 443

Scenario 2

Now some one from the outside can type “https://1.1.1.1” or associated FQDN and access this web server. But what happens if you need another Public IP address for another internal resource and need 22 (ssh) opened up for it. You already used up your last IP address. So when I ran into such issue I did this:

object network obj-10.1.1.10 (Server 1)
host 10.1.1.10
exit
object network obj-10.1.1.20 (Server 2)
host 10.1.1.20
exit
object network obj-1.1.1.1 (Public IP)
host 1.1.1.1
exit
object service HTTPS (Created a service object for HTTPS)
service tcp source eq 443
exit
object service SSH (Created a service object for SSH)
service tcp source eq 22
exit
nat (inside,outside) source static obj-10.1.1.10 obj-1.1.1.1 service HTTPS HTTPS (NAT1-SERVER1)
nat (inside,outside) source static obj-10.1.1.20 obj-1.1.1.1 service SSH SSH (NAT2-SERVER2)

access-list outside_in extended permit tcp any gt 1024 host 10.1.1.10 eq 443
access-list outside_in remark **** Access list for Server 1 HTTPS Access ****
access-list outside_in extended permit tcp any gt 1024 host 10.1.1.20 eq 22
access-list outside_in remark **** Access list for Server 2 SSH Access ****

Using this method I was able to use a single Public IP and assign it to multiple internal servers on different Ports i.e 443 and 22. Now if someone uses 443 for the public IP of 1.1.1.1 they will get to the internal server 10.1.1.10. Now if someone uses SSH to the Public IP 1.1.1.1 they will get to the Internal server 10.1.1.20. Similarly I can utilize this one Public IP Address and assign it to other internal resources and other ports such as 21, 80, 25 etc

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 . Terms and conditions of using this site

Tags: , , ,

WordPress SEO