There is a Cisco ASA 5520 . It raised NAT . It is necessary that the ASA has several public IP addresses and certain ports from these addresses are "forwarded" inside the local network to the servers. In this case, the existing functionality must be maintained. Is it possible to do this and, if so, how?

    1 answer 1

    In Cisco ASA firmware versions below 8.3, this cannot be done. You can make static NAT when the ASA forwards all calls from one external IP address to one server on the local network. When using static NAT, the ASA may have more than one public IP address, but the NAT functionality will be disabled, i.e. use the ASA as a gateway for the local network will be impossible.

    However, in the firmware version 8.3 and above the necessary functionality is present. Here is the basis of the configuration that solves this problem:

    ! Интернет-интерфейс. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 1.2.3.4 255.255.255.0 ! Интерфейс внутренней сети. interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! Шлюз по умолчанию. route outside 0.0.0.0 0.0.0.0 1.2.3.1 1 ! Проброс портов на основном IP-адресе. object network IP1_SERVER1 host 192.168.1.2 nat (inside,outside) static interface service tcp 80 80 ! Проброс портов на втором IP-адресе. object network IP2_SERVER1 host 192.168.1.3 nat (inside,outside) static 1.2.3.5 service tcp 80 80 ! Правила пропуска пакетов из внутренней сети (разрешено всё). access-list ALLOW_FROM_INTERNAL extended permit ip any any ! Правила пропуска пакетов из сети Интернет. access-list ALLOW_FROM_INTERNET extended permit tcp any object IP1_SERVER1 eq 80 access-list ALLOW_FROM_INTERNET extended permit tcp any object IP2_SERVER2 eq 80 ! "Вешаем" правила на интерфейсы. access-group ALLOW_FROM_INTERNET in interface outside access-group ALLOW_FROM_INTERNAL in interface inside

    In this way, you can "forward" ports from any number of public IP addresses, and you can "forward" different ports to different internal addresses.

    If there are many rules, instead of specifying a specific address in each nat rule, you can create an object network and specify it in the rules:

     object network WAN_IP_2 host 1.2.3.5 object network IP2_SERVER1 host 192.168.1.3 nat (inside,outside) static WAN_IP_2 service tcp 80 80

    Such an approach, when changing the addressing, will not “shovel” the entire config, but change the address in one place.

    PS Performance tested on Cisco ASA 5520 with firmware version 9.1 (3).