In the diagram below we have three servers and a local
network with some users that all need to get out to the Internet. The Web
server and FTP server have to share the same public IP.
Step1: Make objects for both the outside and inside
addresses that will be used.
ASA(config)# network network public-webftp
ASA(config-network-object)#
host 1.1.1.1
ASA(config)# network network public-appserv
ASA(config-network-object)#
host 1.1.1.2
ASA(config)# network network public-hidenat
ASA(config-network-object)#
host 1.1.1.3
ASA(config)# network network InsideLan
ASA(config-network-object)#
subnet 10.10.10.0 255.255.255.0
ASA(config)# network network server-web-http
ASA(config)# network network server-web-http
ASA(config-network-object)#
host 10.10.10.5
ASA(config)# network network server-web-https
ASA(config-network-object)#
host 10.10.10.5
ASA(config)# network network server-ftp
ASA(config-network-object)#
host 10.10.10.6
ASA(config)# network network server-apps
ASA(config-network-object)#
host 10.10.10.7
Step2: Apply NAT to our inside objects.
ASA(config)# network network InsideLan
ASA(config-network-object)# nat (inside,outside) dynamic
public-hidenat
ASA(config)# network network server-web-http
ASA(config)# network network server-web-http
ASA(config-network-object)# nat (inside,outside) static
public-webftp service tcp 80 80
ASA(config)# network network server-web-https
ASA(config-network-object)# nat (inside,outside) static
public-webftp service tcp 443 443
ASA(config)# network network server-ftp
ASA(config-network-object)# nat (inside,outside) static
public-webftp 21 21
ASA(config)# network network server-apps
ASA(config-network-object)# nat (inside,outside) static
public-appserv
Step3: Make or modify the interface access-list to allow incoming
traffic to the servers
ASA(config)# access-list outside-incoming extended permit
tcp any object
server-web-http eq 80
server-web-http eq 80
ASA(config)# access-list outside-incoming extended permit
tcp any object
server-web-https eq 443
server-web-https eq 443
ASA(config)# access-list outside-incoming extended permit
tcp any object
server-ftp eq 21
server-ftp eq 21
ASA(config)# access-list outside-incoming extended permit
tcp any object
server-apps eq 1234
server-apps eq 1234
ASA(config)# access-group outside-incoming in interface
outside
If you prefer to use the ASDM here is a basic run down of
how to add an Object NAT.
Step1: You can either add/edit an
existing object using the toolbar on the right side or in the NAT configuration
window you can add an Object NAT from the drop down Add menu.
Step2: Once the object window is shown click the little drop
down arrow to access the NAT configuration section.
Step3. Check the Add Automatic Address Translation rules
box.
Step4: Select if you wish to do a static, dynamic, or
dynamic PAT and add your translated address or object. Once done filling out
the type and translated address click the advanced button.
Step5: In this window you select your source and translated
(destination) interfaces. If you want to do a Static 1 to 1 NAT you can leave the
service section blank without port numbers. If you want to perform a PAT or
port forward fill them out. The last thing on this window is the “Translate DNS
replies for rule” option. This function only available if you want to do a
Static 1 to 1 NAT (no port numbers filled out).
