[c-nsp] 8.3 nat question asa

Jason Gurtz jasongurtz at npumail.com
Fri Aug 26 09:09:28 EDT 2011 

> I have defined dynamic source nat rule:
> 
> Here is the relevant config:
> 
> object network obj-10.201.0.0
>  subnet 10.201.0.0 255.255.0.0
> 
> object network obj-2.2.2.102
>  host 2.2.2.102
> 
> nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102

Food for thought (not sure if this is worse/better/same). Say the outside
interface, 2.2.2.102, is part of network 2.2.2.96/28
!
object network Obj-Everything
 subnet 0.0.0.0 0.0.0.0
!
! Subnet that non-employees end up on; they go out via a different
! public IP
object network Obj-Guest-Net
 subnet 172.20.0.0 255.255.0.0
!
object network Obj-Everything
 nat (inside,outside) dynamic interface
object network Obj-Guest-Net
 nat (inside,outside) dynamic 2.2.2.103

> What i am looking to do, if possible (i believe it should be) is do a
> static mapping from the outside of 2.2.2.102:80 to a single ip address
in
> the
> 10.201.0.0/16 net, for ex 10.201.10.10:80
>
> [...]
>
> Is that correct? Also, what is the syntax for mapping only port 80 of
> obj-2.2.2.102 to obj-10.201.10.10?
> so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80

"Map all ports on public IP x to private IP y" should be similar but we
have only implemented the latter, more specific case:

object network HostName1_TCP7979
 host 10.201.1.10
object network HostName1_TCP8888
 host 10.201.1.10
!
object-group service HostName-Ports tcp
 description GPIM active tcp ports
 port-object eq 7979
 port-object eq 8888
!
access-list Inbound extended permit tcp any host 10.201.1.10 object-group
HostName-Ports log
!
object network HostName1_TCP7979
 nat (inside,outside) static interface service tcp 7979 7979
object network HostName1_TCP8888
 nat (inside,outside) static interface service tcp 8888 8888
!

I do remember the sh run output for the object related commands in 8.3
seemed a little wacky, but looking at this I'm not sure if we tried
something like this or not:

Object network HostName1_PortMap
 host 10.201.1.10
 nat (inside,outside) static interface service object HostName-Ports

~JasonG

More information about the cisco-nsp mailing list