I finally got round to reconfiguring my Cisco ASA 5505 so that it has a proper internal LAN and uses PAT/NAT on the outside.
I am getting this working, but have trouble with one specific scenario:
- I want all traffic coming from 192.168.1.2 to the outside to be represented on the outside as xx.xx.xx.212.
- I will be opening up ports to the xx.xx.xx.212 IP address without using port redirection.
- I wish to open up port 53 on the outside IP address to a DNS server on the inside, however, on the inside, we are running the DNS service on port 5353.
I tried the following commands:
static (inside,outside) tcp xx.xx.xx.212 domain 192.168.1.2 5353 netmask 255.255.255.255 static (inside,outside) udp xx.xx.xx.212 domain 192.168.1.2 5353 netmask 255.255.255.255 static (inside,outside) xx.xx.xx.212 192.168.1.2 netmask255.255.255.255
However, when I entered in the third command, I got an error that the command would overide the scope of the preceeding two commands.
If I were to do static NAT statements for every port that I wanted to map on the inside, then I am not sure whether connections that were going from a non mapped port would be natted to the outside address, so is there any other way of doing this? I was wondering whether policy NAT would work? If using this, would I do something like this:
static (inside,outside) xx.xx.xx.212 access-list server_nat
access-list server_nat extended permit tcp host 192.168.1.2 5353 access-list server_nat extended permit udp host 192.168.1.2 5353 access-list server_nat extended permit ip host 192.168.1.2 any
However, I wanted to check with someone before doing this, in case it was going to mess something else up.
Would this be a better way of doing this?