NAT Port Forwarding is useful when you have a single public IP address and multiple devices behind it that you want to reach from the outside world. Take a look at the example below:
In the topology above we have an ASA firewall with a DMZ and two servers…a HTTP server and a SSH server. Let’s imagine that the IP address on the ASA’s E0/1 interface (192.168.2.254) is a public IP address. Our goal is to make sure that we can reach these servers from the outside world. R2 is only there so we have a device in the “outside” so we can try if NAT is working.
HTTP uses TCP port 80 and SSH uses TCP port 22 so what we’ll do is forward these ports. Whenever someone connects on IP address 192.168.2.254 TCP port 80 we will forward them to 192.168.3.1 TCP port 80.
We can use different port numbers if we want and to demonstrate this, we will configure the ASA so that whenever someone connects on 192.168.2.254 TCP port 10022, we will forward it to 192.168.3.3 TCP port 22.
Let me show you how to configure this. We start with the HTTP server:
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.3.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 80 80
We create a network object that specifies the real IP address of the web server and then we create our NAT rule. By using the keyword interface we tell the ASA to use the IP address on the (outside) interface. The first port number is the port that the server is listening on, the second port number is the outside port number. Let’s configure another PAT entry for the SSH server:
ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.3.3
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022
This network object is similar to the first one but you can see I used a different port number for the outside. Whenever someone connects on TCP port 10022, it will be forwarded to TCP port 22. This takes care of the NAT rules but don’t forget to create an access-list or our traffic will be dropped:
Hi Rene,
in your post you have the config:
Which means that if you connect to port 10022 on the outside interface, the request in forwarded to 192.168.3.3 port 80.
... Continue reading in our forumBUT what happens the other way around? What if the internal host 192.168.3.3 initiates the connection. It will be translated to the OUTSIDE IP, but will the port be changed as well? Is this translation only triggered if the specifi
Hello Florian
These commands do the following:
Any communication from the outside with a destination IP address of 192.168.2.254 (the IP of the outside interface) and a port of 10022 will be translated and would reach the server at IP address 192.168.3.3 on port 22. These commands are ONLY for traffic originating OUTSIDE with the specific destination IP and port pair.
If 192.168.3.3 decides to initiate a communication to a destination on the Internet, these commands have nothing to do with the behaviour of such an action. If you want servers on the DMZ to ac
... Continue reading in our forumHello Florian
According to Cisco, concerning the implementation of Network Object NAT:
Let’s take a look at your example:
... Continue reading in our forumHello florian
As mentioned in the Cisco quote, the command will function in both directions, however, the appropriate IP addresses and ports must be used in order for the transmission to match the NAT object and to successfully be translated.
As for the (DMZ,OUTSIDE) portion of the command, it must have the following syntax:
**nat** [(real_ifc,mapped_ifc)] …
The real_ifc is the real interface, that is the interface pointing towards the server/device for which you are configuring static NAT. The mapped_ifc is the mapped interface, that is, the interface to whic
... Continue reading in our forumHello Bruce
Although it is true that the vast majority of NAT configurations are indeed
nat (inside,outside)
, there are situations where thenat(outside,inside)
scenario is useful. One such example is if you have a web server that is on the Internet that you want users on the inside of a network to access using an internal private address.This example can be seen in the following Cisco documentation on pages 2 to 4 in a section titled “NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)”
https://www.cisco.com/c/en/us/td/docs/secu
... Continue reading in our forum