Example 1
Forward port for a web server from the Internet to internal network using Auto NAT or as it called Network Object NAT
Forward port for a web server from the Internet to internal network using Auto NAT or as it called Network Object NAT
object web_server_in_dmz
Where:
nat (outside, inside) source static any any destination static public_ip web service 8080 www
where:
outside - source interface, where original packet comes in
inside - destination interface, from where translated packet will come out
source - means we are starting configuration of source IP address translation
static - NAT will static, not dynamic
first any - source address of original packet
second any - source address of translated packet, thus source address will be not changed
destination - means we are starting configuration of destination IP address translation
static - destination NAT will be static, not dynamic
public_ip - network object which describes external Internet IP address
web - network object which describes internal IP address of web server
service - means we are starting specification which services will be translated
8080 - service object which describes port 8080 TCP, translated port which will be open on external address
www - service object which describes port 80 TCP, real port on a web server
However, it will not work if 1.1.1.1 - is the IP address of the outside interface. 1.1.1.1 maybe the secondary outside address, but not the primary one. By secondary I mean that it will appear only in NAT configuration, it will be enough for ASA start replying on this address. It is impossible to configure explicitly the secondary address on ASA.
So, how to configure port forwarding using the IP address of the outside interface? Here is the example:
nat (outside, inside) source static any any destination static interface web service 8080 www
The only thing changed here is public_ip > interface, which means as I comprehend, that identification by interface is used instead of IP.
Example 2
Configure PAT for internal network that users can access the Internet
Using Auto NAT
object network lan
subnet 172.16.16.0 255.255.255.0
nat (any,any) dynamic public_ip
where public_ip is a network object containing external IP address, but not the address of outside interface of course :)
Using Manual NAT with IP address of outside interface
object network lan
subnet 172.16.16.0 255.255.255.0
nat (inside,outside) source dynamic lan interface
Example 3
NAT exemption
For instance you need to exclude the server from the PAT because this server needs to communicate with another server via IPSec VPN. To accomplish it we just need to create a NAT rule which changes nothing and set its order number to one
nat (any,any) 1 source static server1 server1 destination remote_server remote_server
Troubleshooting
host 192.168.1.2
nat (inside,outside) static 1.1.1.1 service tcp www 8080
nat (inside,outside) static 1.1.1.1 service tcp www 8080
Where:
- 192.168.1.2 - IP address of web server in internal network
- inside - name of the interface connected to the internal network
- outside - name of the interface connected to the external network
- static - type of NAT translation
- 1.1.1.1 - external Internet address
- www - real port on a web server
- 8080 - translated port which will be open on external address
nat (outside, inside) source static any any destination static public_ip web service 8080 www
where:
outside - source interface, where original packet comes in
inside - destination interface, from where translated packet will come out
source - means we are starting configuration of source IP address translation
static - NAT will static, not dynamic
first any - source address of original packet
second any - source address of translated packet, thus source address will be not changed
destination - means we are starting configuration of destination IP address translation
static - destination NAT will be static, not dynamic
public_ip - network object which describes external Internet IP address
web - network object which describes internal IP address of web server
service - means we are starting specification which services will be translated
8080 - service object which describes port 8080 TCP, translated port which will be open on external address
www - service object which describes port 80 TCP, real port on a web server
However, it will not work if 1.1.1.1 - is the IP address of the outside interface. 1.1.1.1 maybe the secondary outside address, but not the primary one. By secondary I mean that it will appear only in NAT configuration, it will be enough for ASA start replying on this address. It is impossible to configure explicitly the secondary address on ASA.
So, how to configure port forwarding using the IP address of the outside interface? Here is the example:
nat (outside, inside) source static any any destination static interface web service 8080 www
The only thing changed here is public_ip > interface, which means as I comprehend, that identification by interface is used instead of IP.
Example 2
Configure PAT for internal network that users can access the Internet
Using Auto NAT
object network lan
subnet 172.16.16.0 255.255.255.0
nat (any,any) dynamic public_ip
where public_ip is a network object containing external IP address, but not the address of outside interface of course :)
Using Manual NAT with IP address of outside interface
object network lan
subnet 172.16.16.0 255.255.255.0
nat (inside,outside) source dynamic lan interface
Example 3
NAT exemption
For instance you need to exclude the server from the PAT because this server needs to communicate with another server via IPSec VPN. To accomplish it we just need to create a NAT rule which changes nothing and set its order number to one
nat (any,any) 1 source static server1 server1 destination remote_server remote_server
Troubleshooting
Show all translations
Show xlate
show nat
show nat
