Another run in with Cisco NAT ASA 8.3 >

Overview of Cisco NAT problem

I have recently been moving a service from some old ASAs to some nice shiny 5525s and had to translate old Cisco NAT to new Cisco NAT. One of my stumbling blocks was making sure a couple of specific hosts bound them selves to a particular IP outbound when a specific port is used. The old config used access lists to do it but I found it to be over complicated, so I looked into using object groups instead.  Below is a diagram of what we want to achieve.

Cisco ASA 8.3 NAT : www.geektowers.com

 

Solution

Turns out this was really simple.

Enter configuration mode:

conf t

Create objects for the hosts:

object network OBJ-192.168.0.71

host 192.168.0.71

object network OBJ-192.168.0.72

host 192.168.0 72

object network OBJ-192.168.100.100

host 192.168.100.100

Place the host objects inside an object group:

object-group network OBJ-9998-TCP-OUTBOUND

network-object object OBJ-192.168.0.71

network-object object OBJ-192.168.0.72

 

 

Create the service object:

object service OBJ-9998-TCP

service tcp destination eq 9998

Create the NAT rule:

nat (INSIDE,OUTSIDE) source static OBJ-9998-TCP-OUTBOUND OBJ-192.168.100.100 service OBJ-9998-TCP OBJ-9998-TCP

Finally the access list:

access-list INSIDE extended permit tcp object-group OBJ-9998-TCP-OUTBOUND any eq 9998

NB. I have just but a destination of any here for ease.

Don’t forget to save the running configuration:

end copy running-config startup-config

 

 

Home

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.