Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510 -Static NAT Help

Status
Not open for further replies.
intel233

intel233

MIS
Feb 24, 2007
289
0
0
US
I am new to this. What I need is to create a Static Nat for one of my internal IP's so a consultant can get to it. Its just as web page. Lets say the internal IP is 10.0.2.100 and the external is 1.1.1.1
Would it be something like:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static 1.1.1.1
 
Sort by date Sort by votes
Yes, that's correct. Make sure you have the "permit" entry in the ACL on the outside for his IP / subnet, remembering that starting with 8.4 code the ACE are applied to the original IP addresses, in this case 10.0.2.100.
 
Upvote 0 Downvote
thanks for the quick response. That is the part I am not sure about. What would the ACL be for this?
 
Upvote 0 Downvote
What's the web page, HTTP, HTTPS, both?
Say you have this in your config:
Code: 
access-group outside-in_acl in interface outside
Then you'd need to add this for your web page access on port 80.
Code: 
access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www
If you do not have anything like:
Code: 
access-group blah in interface outside
Then you will need to make that access list and apply it to the interface

I hope this helps. If unclear feel free to ask.
 
Upvote 0 Downvote
Again, thanks that does help. My other question then is if I don't have an additional Public IP to give this. Is there a way to do it?
 
Upvote 0 Downvote
Yes, there is. You would use the outside interface address with PAT as in:
Code: 
nat (inside,outside) static interface service tcp www www
 
Upvote 0 Downvote
Ok so it would be:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static interface service tcp
So I wouldn't need the ACL?
access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www

Thanks again. You have been a great help.
 
Upvote 0 Downvote
Yes, you would. NAT is one thing, the access from low security zone to the higher security zone has to have an explicit permit ACE. Otherwise the default deny will apply.
And do not forget:
Code: 
access-group outside-in_acl in interface outside

This tells ASA to use that ACL on the outside.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
135
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
142
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
116
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
51
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top