ASA 5505: NAT/PAT question

Discussion in 'Cisco' started by Andrew Hodgson, Nov 7, 2008.

  1. Hi,

    I finally got round to reconfiguring my Cisco ASA 5505 so that it has
    a proper internal LAN and uses PAT/NAT on the outside.

    I am getting this working, but have trouble with one specific

    - I want all traffic coming from to the outside to be
    represented on the outside as xx.xx.xx.212.
    - I will be opening up ports to the xx.xx.xx.212 IP address without
    using port redirection.
    - I wish to open up port 53 on the outside IP address to a DNS server
    on the inside, however, on the inside, we are running the DNS service
    on port 5353.

    I tried the following commands:

    static (inside,outside) tcp xx.xx.xx.212 domain 5353
    static (inside,outside) udp xx.xx.xx.212 domain 5353
    static (inside,outside) xx.xx.xx.212 netmask

    However, when I entered in the third command, I got an error that the
    command would overide the scope of the preceeding two commands.

    If I were to do static NAT statements for every port that I wanted to
    map on the inside, then I am not sure whether connections that were
    going from a non mapped port would be natted to the outside address,
    so is there any other way of doing this? I was wondering whether
    policy NAT would work? If using this, would I do something like this:

    static (inside,outside) xx.xx.xx.212 access-list server_nat

    access-list server_nat extended permit tcp host 5353
    access-list server_nat extended permit udp host 5353
    access-list server_nat extended permit ip host any

    However, I wanted to check with someone before doing this, in case it
    was going to mess something else up.

    Would this be a better way of doing this?

    Andrew Hodgson, Nov 7, 2008
    1. Advertisements

  2. Andrew Hodgson


    Oct 30, 2008
    Likes Received:
    On my pix 515e, you have to use a protocol fix-up to adjust the port from its default.

    You will have to set the internal IP to a static setting, not dynamic.

    But those static statements look off to me for some reason, I think the third one will be all that you need....
    And then you do UDP and TCP port redirections via ACL.....
    sdunn96, Nov 7, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.