1 to 1 NAT

[ntwrkrbkj]

Is the ASA 5505 capable of doing 1 to 1 NAT? Every configuration I've tried hasn't worked, but then again, I'm used to the PIX series. Does anyone have any good links to config examples that encorporate 1 to 1 NAT?

These are the commands I'm using (yes, the x's are public IPs):

access-list outside_access_in extended permit tcp any x.x.x.177 255.255.255.255 eq 80
access-list outside_access_in extended permit tcp any x.x.x.177 255.255.255.255 eq 443
access-list outside_access_in extended permit tcp any x.x.x.164 255.255.255.255 eq 21
access-list outside_access_in extended permit tcp any x.x.x.164 255.255.255.255 eq 25
access-list outside_access_in extended permit tcp any x.x.x.164 255.255.255.255 eq 588
access-list outside_access_in extended permit tcp any x.x.x.164 255.255.255.255 eq 110
access-list outside_access_in extended permit tcp any x.x.x.164 255.255.255.255 eq 80
static (inside,outside) tcp x.x.x.177 80 192.168.5.177 80 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.177 443 192.168.5.177 443 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.164 21 192.168.5.164 21 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.164 25 192.168.5.164 25 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.164 588 192.168.5.164 588 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.164 110 192.168.5.164 110 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.164 80 192.168.5.164 80 netmask 255.255.255.255
access-group outside_access_in in interface outside

I've only ever gotten the device to successfully pass RDP traffic (which isn't in the commands). Ugh, any ideas?

 

[North323]

why are you trying to NAT from the outside in? i thought that was the idea behind outside interface (public IP) and inside interface (private IP) would NAT all incoming traffic to your 'private' IP.

would you not want to NAT from the inside out? I am just looking at a partial config and making assumptions.

 

[ntwrkrbkj]

Thanks for the reply. Just following the command structure that Cisco shows for doing port forwarding....and I've put the device in my lab this morning (didn't have time yesterday) and put the same config on it (with diff IP's of course) and the thing works perfectly. I can RDP from the outside in, hit a web server, hit an FTP server, etc.

So now I'm down to thinking the customer doesn't know his WAN as well as he thinks. All the 1 to 1's and forwards work perfectly across our WAN. I asked him about his T1 and he said there were no security restrictions on it; ISP must have a router in the mix with an ACL on it. It's the only explanation I can think of, unless someone can think of some other reason why it wouldn't work?

 

[North323]

prob not the ISP, make sure the server is capable of remote connetions.

 

[ntwrkrbkj]

Yeah, their old forwards work fine on their old firewall, but.....their old firewall has a diff public than the new one and it is within their assigned range. So server isn't the issue, it's definitely network related and since I was there and at 1 point had nothing but my laptop and their webserver plugged into the ASA coupled with the fact the web server works fine across the old firewall tells me the problem is external to their network. The fact that the ASA works fine in my lab with similar circumstances tells me the problem is external to the ASA.

All that with the fact that the old firewall forwards and the new one doesn't tells me that I need to put the old firewall's IP on the new firewall and see if traffic passes. If it doesn't, then I'm stumped again, NEVER heard of a T1 provider doing MAC filtering????

Thanks again for reply.

 

[North323]

you could try to clear the arp table in the ASA. i am not 100% sure of the command but its something like clear xlate

 

[ntwrkrbkj]

Tried that already.

 

[unclerico]

enable logging on those ACEs in the ACL. Try and connect from the outside and look at the logs. Also look at the output from the sh conn command. Make 100% sure that the outside IP is in fact in their range of addresses, pay close attention to the subnet mask.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)