Cisco ASA 8.4(3); NAT multiple ports on public IP to private IP

ciscocisco-asanat;

I have the following configuration on an ASA running 8.4 already;

object network SERVER-01
 host 192.168.0.1
!
object network SERVER-01
 nat (Inside,Outside) static interface service tcp 3389 5001

I have this config repeated several times to allow RDP to multiple machines behind the ASA, on different ports; 5001 forwards to one server, 5002 to another, and so on.

For this one server in the above config though, I want to forward port 5555 publicly to port 5555 at the same private IP, 192.168.0.1.

If I try to enter the above config but with different port numbers, it is overwritten, I can't seem to add an additional NAT entry, only replace that one. This indicates I can only have one port forwarded to each internal IP at a time. Is that correct, or can I forward various public ports to an internal host, but using some other method? If so, how?

Best Answer

Unfortunately from the Configuring Network Object NAT documentation for 8.4 it states

You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.

So you will have to create multiple objects with the same host just different names.

Related Solutions

Cisco ASA 9.0(1) – NAT / PAT

Here's an example configuration for what you're looking to accomplish.

First create an object for you server:

object network SRV1
host 10.203.5.1

Next, create the PAT rule that uses your outside interface IP:

object network SRV1
nat (inside,outside) static interface service tcp 3389 10001

The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.

Finally, create your ACL rule:(assuming your access list name is outside_access_in)

access-list outside_access_in extended permit tcp any object SRV1 eq 3389

Rinse and repeat.

Nat – Source NATing Fortigate typical scenario

Yes I understand your scenario and your requirement ..to access resources on remote firewall on port RDP ie 3389 from fortigate 200d connected switch lan users

For your requirement no natting required. . Please configure static route in fortigate 200D as below

Ip route 10.48.1.0 255.255.255.0 points towards gateway 10.189.254.17

And for reverse traffic static route in remote n /W firewall Ip route 192.168.60.0 255.255.255.0 pointing towards gateway 10.189.254.18

And have a security policies in firewalls allowing traffic

Policy in fortigate 200D

Source interface : interface Port need to mention Destination interface : interface Port need to mention Source address :192.168.60.15/32 Destination address :10.48.1.4/32 Port :tcp-3389 Action : allow Security profiles : on

Now security policy in remote n/w firewall

Source interface : egress interfàe of firewall Destination interface :ingress interface of firewall Source address : 192.168.60.15/32 Destination address :10.48.1.4/32 Port :3389/TCP Action : allowed Security profiles :on .

Now user of fortigate 200D lan users can access internal hosted server on remote network firewall on port 3389

For futher security if you wants to hide your ips then you can use source natting in fortigate 200D firewalls but to accomplish this you need to configure static route in fortigate 200d with destination as source nat pool pointing. Towards gateway 192.189.254.17..likewise..

Best Answer

Related Solutions

Cisco ASA 9.0(1) – NAT / PAT

Nat – Source NATing Fortigate typical scenario

Related Topic