PAT can be accomplished 2 ways – by network object or by service object.
These notes are based on trying to get a port or group of ports to forward from the outside interface to a host behind the DMZ interface on a 5505 running 8.4:
Single Port – web server example
Use network object. Add an access list rule with:
Interface:outside
Source: any
Destination: LAN IP address of server (i.e. your internal IP address of the web server, etc)
Service: www
Now add a NAT rule – Add Network Object Rule
Name: something descriptive
Type: Host
IP Address: LAN IP of server (same as in Destination above)
Under NAT, check Add Automatic Address Translation Rules
Type: Static
Translated Address: outside
Click Advanced, enter the port number (80) in the Real Port and Mapped Port fields.
OK, Apply, Done – web server is now serving requests from the real world. The rule appears under “Network Object” NAT Rules, and there is now an address object. If you need to forward many ports to this server, the best option is to use the service object, as otherwise you need to create many network objects (one for each port).
Video reference: https://supportforums.cisco.com/videos/2428
Mulitple Ports to the Same Server
If you need to forward a range of ports or multiple ranges of ports, it is beneficial to create multiple Service Objects and then create one Service Group containing all of the desired objects.
Service Objects:
Service_1: Destination Port Range: 12345
Service_2: Destination Port Range: 12347
Service_3: Destination Port Range: 12349
Service Group; Service_All (contains all service objects above)
Create Network Object of the LAN server IP address, for example: PBX, IP: 10.0.0.1
Create an ACL with source Any, Destination:PBX_server (defined as network object above), Service: Service_All (our collective service group, defined above)
Create a new NAT rule with:
Original Packet
Source Interface: Outside, Source Address: Any
Destination Interface: DMZ, Destination Address: Outside, Service: Service_1
Translated Packet
Source NAT Type: Static, Source Address: Original
Destination Address: PBX_server, Service: Original
You will need to create multiple NAT rules – one for each service group defined above.
The CLI equivalent commands is:
object service Service_1 service tcp 12345 object service Service_2 service tcp 12347
object service Service_3 service udpp 12349 Object-group service Service_All
service-object object Service_1 service-object object Service_2 service-object object Service_3
access-list outside_access_in extended permit object-group Service_All any host PBX_server nat (outside,dmz) source static any any destination static interface PBX_server service service_1 service_1
nat (outside,dmz) source static any any destination static interface PBX_server service service_2 service_2
nat (outside,dmz) source static any any destination static interface PBX_server service service_3 service_3
You must be logged in to leave a reply.