ASA 5505: NAT/PAT question

Hi,

I finally got round to reconfiguring my Cisco ASA 5505 so that it has a proper internal LAN and uses PAT/NAT on the outside.

I am getting this working, but have trouble with one specific scenario:

- I want all traffic coming from 192.168.1.2 to the outside to be represented on the outside as xx.xx.xx.212.

- I will be opening up ports to the xx.xx.xx.212 IP address without using port redirection.

- I wish to open up port 53 on the outside IP address to a DNS server on the inside, however, on the inside, we are running the DNS service on port 5353.

I tried the following commands:

static (inside,outside) tcp xx.xx.xx.212 domain 192.168.1.2 5353 netmask 255.255.255.255 static (inside,outside) udp xx.xx.xx.212 domain 192.168.1.2 5353 netmask 255.255.255.255 static (inside,outside) xx.xx.xx.212 192.168.1.2 netmask

255.255.255.255

However, when I entered in the third command, I got an error that the command would overide the scope of the preceeding two commands.

If I were to do static NAT statements for every port that I wanted to map on the inside, then I am not sure whether connections that were going from a non mapped port would be natted to the outside address, so is there any other way of doing this? I was wondering whether policy NAT would work? If using this, would I do something like this:

static (inside,outside) xx.xx.xx.212 access-list server_nat

access-list server_nat extended permit tcp host 192.168.1.2 5353 access-list server_nat extended permit udp host 192.168.1.2 5353 access-list server_nat extended permit ip host 192.168.1.2 any

However, I wanted to check with someone before doing this, in case it was going to mess something else up.

Would this be a better way of doing this?

Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.