Skip to main content

 

 

Cisco Defense Orchestrator

Make a Server on the Inside Network Available on a Specific Port of a Public IP Address

Use Case

If you only have one public IP address, or a very limited number, you can create a network object NAT rule that translates inbound  traffic bound for a static IP address and port to an internal address. We have provided procedures for specific cases but you can use them as a model for other supported applications. 

Prerequisites 

Before you begin, create three separate network objects, one each for an FTP, HTTP, and SMTP server. For the sake of the following procedures, we call these objects ftp-object, http-object, and smtp-object. See Create Network Objects for instructions.

NAT Incoming FTP Traffic to an FTP Server

  1. On the Devices & Services page, select the ASA for which you want to create the NAT rule.
  2. Click View NAT Rules in the Policy section of the Actions pane.
  3. Click Create NAT Rule > Network Object NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, perform these actions:
  • Expand the Original Address menu, click Choose, and select the ftp-object.
  • Expand the Translated Address menu, click Choose, and select the Interface.
  • Check Use Port Translation.
  • Select tcp, ftp, ftp.
  1. Click Save. The new rule is created in section 2 of the NAT table.
  2. Return to the Devices & Services page, select the ASA on which you made this change, and Write changes... to the ASA. 

NAT Incoming HTTP Traffic to an HTTP Server

  1. On the Devices & Services page, select the ASA for which you want to create the NAT rule.
  2. Click View NAT Rules in the Policy section of the Actions pane.
  3. Click Create NAT Rule > Network Object NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, perform these actions:
  • Expand the Original Address menu, click Choose, and select the http-object.
  • Expand the Translated Address menu, click Choose, and select the Interface.
  • Check Use Port Translation.
  • Select tcp, http, http.
  1. Click Save. The new rule is created in section 2 of the NAT table.
  2. Return to the Devices & Services page, select the ASA on which you made this change, and Write changes... to the ASA. 

 

NAT Incoming SMTP Traffic to an SMTP Server

  1. On the Devices & Services page, select the ASA for which you want to create the NAT rule.
  2. Click View NAT Rules in the Policy section of the Actions pane.
  3. Click Create NAT Rule > Network Object NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, perform these actions:
  • Expand the Original Address menu, click Choose, and select the smtp-object.
  • Expand the Translated Address menu, click Choose, and select the Interface.
  • Check Use Port Translation.
  • Select tcp, smtp, smtp.
  1. Click Save. The new rule is created in section 2 of the NAT table.
  2. Return to the Devices & Services page, select the ASA on which you made this change, and Write changes... to the ASA. 

Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in the ASA's saved configuration file as a result of this procedure:

Objects

object network ftp-object

   host 10.1.2.27

object network http-object

   host 10.1.2.28

object network smtp-object

   host 10.1.2.29

NAT rules

object network ftp-object

   nat (inside,outside) static interface service tcp ftp ftp 

object network http-object

   nat (inside,outside) static interface service tcp www www

object network smtp-object

   nat (inside,outside) static interface service tcp smtp smtp