Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510 -Static NAT Help

Status
Not open for further replies.

intel233

MIS
Feb 24, 2007
289
US
I am new to this. What I need is to create a Static Nat for one of my internal IP's so a consultant can get to it. Its just as web page. Lets say the internal IP is 10.0.2.100 and the external is 1.1.1.1
Would it be something like:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static 1.1.1.1
 
Yes, that's correct. Make sure you have the "permit" entry in the ACL on the outside for his IP / subnet, remembering that starting with 8.4 code the ACE are applied to the original IP addresses, in this case 10.0.2.100.
 
thanks for the quick response. That is the part I am not sure about. What would the ACL be for this?
 
What's the web page, HTTP, HTTPS, both?
Say you have this in your config:
Code:
access-group outside-in_acl in interface outside
Then you'd need to add this for your web page access on port 80.
Code:
access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www
If you do not have anything like:
Code:
access-group blah in interface outside
Then you will need to make that access list and apply it to the interface

I hope this helps. If unclear feel free to ask.
 
Again, thanks that does help. My other question then is if I don't have an additional Public IP to give this. Is there a way to do it?
 
Yes, there is. You would use the outside interface address with PAT as in:
Code:
nat (inside,outside) static interface service tcp www www
 
Ok so it would be:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static interface service tcp
So I wouldn't need the ACL?
access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www

Thanks again. You have been a great help.
 
Yes, you would. NAT is one thing, the access from low security zone to the higher security zone has to have an explicit permit ACE. Otherwise the default deny will apply.
And do not forget:
Code:
access-group outside-in_acl in interface outside

This tells ASA to use that ACL on the outside.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top