12/31/2022 0 Comments Cisco asa 5505 configuration guideAs of yet, it has not been added.I have an ASA 5506 running in my lab and I wanted to establish the basic configuration for it first before I jump into the TrustSec configuration. This would reduce the number of network objects needed greatly in static PAT scenarios. With static PAT, however, you will have to add a new network object for the static PAT - only one nat statement permitted per object - and add the port-object to the host's svcgrp object.Ī feature request has been filed with Cisco to allow multiple static PAT statements per network object. I find the object names I use is very descriptive and handy in real world scenarios.Īdditionally, with static NAT permitting additional ports you only have to add a port-object entry to the host's svcgrp object. Makes it a PITA when you are debugging on the CLI. Note that I stay away from "friendly names" in the object identifiers. access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any object hst-192.168.10.10 object-group svcgrp-192.168.10.10-tcpĪccess-list outside_access_in extended permit udp any object hst-192.168.20.20 object-group svcgrp-192.168.20.20-udpĪccess-list outside_access_in extended permit tcp any object hst-192.168.20.20 object-group svcgrp-192.168.20.20-tcpĭon't forget to bind your ACL to the interface. In ASA 8.3+ UN-NAT (and NAT) happens before 元/L4/access-group ACL check - so use real IP's in access-group ACL's - even when bound to outside interface. This is where this really comes together - especially traditional static NAT scenarios. With objects and object-groups configured, NAT configured (using network object NAT dynamic PAT and static PAT) - all that is left is the ACL side of things. Now define object-group service groups for use in ACL. Nat (dmz,outside) static interface service tcp 443 443 Nat (dmz,outside) static interface service tcp 80 80 ![]() ![]() Nat (dmz,outside) static interface service udp 53 53 Nat (inside,outside) static interface service tcp 22 22 ![]() With traditional static NAT this is very easy and beautiful - with static PAT it can get a little a little cumbersome, but is still very descriptive. Then we define another network object for each port that is needed. We define an object for the host itself (to be used in the ACL to make it easy). This is where PAT gets a little hairy in 8.3 and up. object network net-192.168.10.0-24ĭefine the network objects for your hosts. Once for the object definition and then again later on in the configuration with only nat statement. If you show run you will see the "object network. Note that I am using my object naming standard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |