ASA 8.2 NAT Examples

Access webserver from outside:

asa-8-2-dnat

Here we want to allow access to webserver from Internet. We have to configure NAT so that whenever anyone from outside hits 1.1.1.80 on port 80 traffic goes to 192.168.1.1 on port 80

static (inside,outside) tcp 1.1.1.80 www 192.168.1.2 www netmask 255.255.255.255
access-list access-server-from-outside extended permit tcp any host 1.1.1.80 eq www

Note:
Here we have to create a ACL to allow traffic from outside to inside. ACL should
have public address of the server as per packet flow of ASA ACL is checked first
and then NAT happens.

Even though NAT rule is from inside to outside but webserver will be accessible
from internet because NAT rule says that whenever traffic comes from 192.168.1.2 with
source port as 80 change the source address to 1.1.1.80 and source port to 80.

A server cannot generate traffic with source port as 80. Source port will be 80
only when it will be accessed by someone. Always traffic initiated by any device
will have source port 1024.

If webserver try to access internet it will not be sucessful we need a source NAT.
Following NAT and ACL can be configured to allow access to and from server:

static (inside,outside) 1.1.1.80 192.168.1.2 netmask 255.255.255.255
access-list access-server-from-outside extended permit tcp any host 1.1.1.80 eq www
                             OR
static (inside,outside) tcp 1.1.1.80 www 192.168.1.2 www netmask 255.255.255.255
nat (inside) 1 192.168.1.2 255.255.255.255
global (outside) 1 1.1.1.80
access-list access-server-from-outside extended permit tcp any host 1.1.1.80 eq www
Advertisements
This entry was posted in ASA and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s