0

We have this setup on a SonicWall firewall, but I can't for the life of me figure out how to do it on a new Cisco 5520. Here is what I want to do

External_IP1:25   -->   InternalMailGW_IP:25
External_IP1:80   -->   InternalWeb_IP:80

The ACLs are fine, it's just the NATing that I can't figure out.

Is there anyway to do this? I know it's probably not advised, but we have a limited number of external IPs and I don't want to go through the hassle of requesting more at this time.

ScottAdair
  • 141
  • 2
  • 9
  • 1
    There's nothing wrong with doing that if you have the need; I'm not that familiar with the Cisco's to give you specific instructions though. Look around for 'One-to-one NAT', or 'NAT Mapping'. – Coding Gorilla Sep 23 '11 at 17:52
  • Why wouldn't it be advised? You've got a limited number of ip addresses and you have more internal resources that need to be externally available than you have external ip addresses. It seems perfectly adviseable and acceptable to me to NAT a single external ip address to multiple internal ip addresses for multiple services. Your only limitation is that you can't NAT and forward the external ip address to multiple internal ip addresses for the same port/service (you can only forward SMTP traffic to 1 internal ip address, for instance). – joeqwerty Sep 23 '11 at 17:55
  • 1
    @Coding Gorilla: How do you do it! You're always 1 step ahead of me! Curses! – joeqwerty Sep 23 '11 at 17:56
  • What version is the ASA? The commands change significantly between older and newer versions. – Shane Madden Sep 23 '11 at 18:02
  • Glad to hear that it can be done, and that it is ok. But how would one do it? When I try to add multiple NAT rules it blows up (says that it overlaps). ASA version is 8.2(1) and ASDM is 6.2(1) – ScottAdair Sep 23 '11 at 18:03

1 Answers1

0

Assuming that the external IP is the primary IP for the interface (change that if it's not true):

static (inside,outside) tcp interface 80 web-server-ip 80 netmask 255.255.255.255 tcp 0 0
static (inside,outside) tcp interface 25 mail-server-ip 25 netmask 255.255.255.255 tcp 0 0

And make sure that those ports are allowed bound for the interface address on the outside interface's inbound ACL.

Maybe look at upgrading, at least to the newest minor version of 8.2; 8.2.1 is pretty ancient. Once you hit 8.3 the config changes around a lot, but it'll convert your existing config pretty well when you upgrade.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251