×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Cisco ASA 5510 -Static NAT Help

Cisco ASA 5510 -Static NAT Help

Cisco ASA 5510 -Static NAT Help

(OP)
I am new to this. What I need is to create a Static Nat for one of my internal IP's so a consultant can get to it. Its just as web page. Lets say the internal IP is 10.0.2.100 and the external is 1.1.1.1
Would it be something like:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static 1.1.1.1

RE: Cisco ASA 5510 -Static NAT Help

Yes, that's correct. Make sure you have the "permit" entry in the ACL on the outside for his IP / subnet, remembering that starting with 8.4 code the ACE are applied to the original IP addresses, in this case 10.0.2.100.

RE: Cisco ASA 5510 -Static NAT Help

(OP)
thanks for the quick response. That is the part I am not sure about. What would the ACL be for this?

RE: Cisco ASA 5510 -Static NAT Help

What's the web page, HTTP, HTTPS, both?
Say you have this in your config:

CODE -->

access-group outside-in_acl in interface outside 
Then you'd need to add this for your web page access on port 80.

CODE -->

access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www 
If you do not have anything like:

CODE -->

access-group blah in interface outside 
Then you will need to make that access list and apply it to the interface

I hope this helps. If unclear feel free to ask.

RE: Cisco ASA 5510 -Static NAT Help

(OP)
Again, thanks that does help. My other question then is if I don't have an additional Public IP to give this. Is there a way to do it?

RE: Cisco ASA 5510 -Static NAT Help

Yes, there is. You would use the outside interface address with PAT as in:

CODE -->

nat (inside,outside) static interface service tcp www www 

RE: Cisco ASA 5510 -Static NAT Help

(OP)
Ok so it would be:
Object network TEST_Static
host 10.0.2.100
nat (inside,outside) static interface service tcp www www

So I wouldn't need the ACL?
access-list outside-in_acl extended permit tcp <PUT YOUR VENDOR IP HERE> host 10.0.2.100 eq www

Thanks again. You have been a great help.

RE: Cisco ASA 5510 -Static NAT Help

Yes, you would. NAT is one thing, the access from low security zone to the higher security zone has to have an explicit permit ACE. Otherwise the default deny will apply.
And do not forget:

CODE -->

access-group outside-in_acl in interface outside 

This tells ASA to use that ACL on the outside.

RE: Cisco ASA 5510 -Static NAT Help

(OP)
worked great... thanks

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close