[c-nsp] 8.3 nat question asa
Bruce Pinsky
bep at whack.org
Mon Aug 29 14:56:19 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
dalton wrote:
>
> Hi,
>
> I have what is probably a simple question, however, my first occasion of working with new nat config on an asa running 8.3.
>
> I have defined dynamic source nat rule:
>
> Here is the relevant config:
>
> object network obj-10.201.0.0
> subnet 10.201.0.0 255.255.0.0
>
> object network obj-2.2.2.102
> host 2.2.2.102
>
> nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102
>
> What i am looking to do, if possible (i believe it should be) is do a static mapping from the outside of 2.2.2.102:80 to a single ip address in the
> 10.201.0.0/16 net, for ex 10.201.10.10:80
>
> I'm guessing the syntac would be similar to:
>
> 1) add object
> object network obj-10.201.10.10
> host 10.201.10.10
>
> 2) Then add the manual nat rule
> nat (outside,inside) source static obj-2.2.2.102 obj-2.2.2.102 destination static obj-10.201.10.10 obj-10.201.10.10
>
> Is that correct? Also, what is the syntax for mapping only port 80 of obj-2.2.2.102 to obj-10.201.10.10?
> so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80
>
> Any help or tips appreciated!
>
I do something similar. I dynamic NAT all inside traffic to the outside
interface address except for a single port that static maps to something
inside. Here is the relevant config:
object network Slingbox
nat (inside,outside) static interface service tcp 5001 5001
object network Any
nat (any,outside) dynamic interface
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5b4NMACgkQE1XcgMgrtyY8xQCfXtBy7N7zPI6WHL4/pSdExgUw
g/UAoMWZQQMSTRKMYlp347NtJIWGFwf0
=Lzw3
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list