[c-nsp] 8.3 nat question asa

Bruce Pinsky bep at whack.org
Mon Aug 29 14:56:19 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dalton wrote:
> 
> Hi,
> 
> I have what is probably a simple question, however, my first occasion of working with new nat config on an asa running 8.3.
> 
> I have defined dynamic source nat rule:
> 
> Here is the relevant config:
> 
> object network obj-10.201.0.0 
>  subnet 10.201.0.0 255.255.0.0
> 
> object network obj-2.2.2.102 
>  host 2.2.2.102
> 
> nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102
> 
> What i am looking to do, if possible (i believe it should be) is do a static mapping from the outside of 2.2.2.102:80 to a single ip address in the
> 10.201.0.0/16 net, for ex 10.201.10.10:80
> 
> I'm guessing the syntac would be similar to:
> 
> 1) add object
> object network obj-10.201.10.10
>   host 10.201.10.10
> 
> 2) Then add the manual nat rule
> nat (outside,inside) source static obj-2.2.2.102 obj-2.2.2.102  destination static obj-10.201.10.10 obj-10.201.10.10
> 
> Is that correct? Also, what is the syntax for mapping only port 80 of obj-2.2.2.102 to obj-10.201.10.10?
> so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80
> 
> Any help or tips appreciated!
> 

I do something similar.  I dynamic NAT all inside traffic to the outside
interface address except for a single port that static maps to something
inside.  Here is the relevant config:

object network Slingbox
 nat (inside,outside) static interface service tcp 5001 5001
object network Any
 nat (any,outside) dynamic interface

- -- 
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5b4NMACgkQE1XcgMgrtyY8xQCfXtBy7N7zPI6WHL4/pSdExgUw
g/UAoMWZQQMSTRKMYlp347NtJIWGFwf0
=Lzw3
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list