Date created: 12/14/12 13:27:40. Last modified: 01/20/13 16:24:07

ASA 8.2 - Static DNAT

Static DNAT from local subnet 10.0.104.x/24 to 6.6.6.91 when destination is 5.5.5.3 or .65 on specific TCP ports

ASA Version 8.2(5)33 
!
interface Ethernet0/4
 switchport trunk allowed vlan 104
 switchport mode trunk
!
interface Ethernet0/5
 switchport access vlan 105
!
interface Vlan104
 nameif blades
 security-level 0
 ip address 10.104.0.1 255.255.255.0 
!
interface Vlan105
 nameif saas
 security-level 0
 ip address 10.105.0.1 255.255.255.0 
!
boot system disk0:/asa825-33-k8.bin
boot system disk0:/asa825-k8.bin

! We need this since vlan 104 and 105 are both untrusted networks and have so have the same security level, 0
same-security-traffic permit inter-interface

! Remote host IPs local machines are talking to that we are NAT'ting local traffic outbound for (Destination NAT)
object-group network obj_net_Saas_Hosts
 description Saas hosts
 network-object host 5.5.5.3
 network-object host 5.5.5.65

! Local hosts that will allow through the ASA and NAT traffic for
object-group network obj_host_1_eth1
 network-object host 10.104.0.111
object-group network obj_host_2_eth1
 network-object host 10.104.0.112
object-group network obj_host_3_eth1
 network-object host 10.104.0.106
object-group network obj_host_4_eth1
 network-object host 10.104.0.107
object-group network obj_net_blades
 description Blade IPs facing this ASA
 group-object obj_host_1_eth1
 group-object obj_host_2_eth1
 group-object obj_host_3_eth1
 group-object obj_host_4_eth1

! Access list which is applied to the NAT rules; Only traffic from the local 10.0.104.x IPs to remote hosts 5.5.5.3 or .65 and 
! to either TCP port 14002 or 8101 will be processed by NAT, all other traffic won't be processed by the NAT rules and will be dropped
! by the remote host as it won't recognise local IPs as the source address
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.111 host 5.5.5.3 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.112 host 5.5.5.3 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.106 host 5.5.5.3 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.107 host 5.5.5.3 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.111 host 5.5.5.3 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.112 host 5.5.5.3 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.106 host 5.5.5.3 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.107 host 5.5.5.3 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.111 host 5.5.5.65 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.111 host 5.5.5.65 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit icmp 10.104.0.0 255.255.255.0 host 5.5.5.3 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.112 host 5.5.5.65 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.106 host 5.5.5.65 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.107 host 5.5.5.65 eq 14002 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.112 host 5.5.5.65 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.106 host 5.5.5.65 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit tcp host 10.104.0.107 host 5.5.5.65 eq 8101 
access-list acl_NAT_Blades_Saas_91 extended permit icmp 10.104.0.0 255.255.255.0 host 5.5.5.65  

! Access list to allow TCP ports and ICMP traffic from local hosts to remote hosts
access-list acl_Permit_Blades_Saas extended permit tcp object-group obj_net_blades object-group obj_net_Saas_Hosts eq 14002 
access-list acl_Permit_Blades_Saas extended permit tcp object-group obj_net_blades object-group obj_net_Saas_Hosts eq 8101 
access-list acl_Permit_Blades_Saas extended permit icmp object-group obj_net_blades object-group obj_net_Saas_Hosts 

! Global NAT rule to NAT all traffic matching NAT rule 11 to public IP 6.6.6.91 on it's way out
global (saas) 11 6.6.6.91 netmask 255.255.255.255

! NAT rule that specifies which traffic to NAT in the global NAT rule, which is here is anything that matches access list acl_NAT_Blades_Saas_91
nat (blades) 11 access-list acl_NAT_Blades_Saas_91

! Access group statement to apply the acl_Permit_Blades_Saas access list, to allow the local traffic out
access-group acl_Permit_Blades_Saas in interface blades

! Static route set up, with the two remote hosts specified via the next hop on VLAN 105
route lan 0.0.0.0 0.0.0.0 10.0.0.1 1
route saas 5.5.5.3 255.255.255.255 10.105.0.2 1
route saas 5.5.5.65 255.255.255.255 10.105.0.2 1

! Added ICMP inspection for debug purposes
policy-map global_policy
 class inspection_default
  inspect icmp