NAT Port Forwarding on a Cisco ASA 5510 with ASDM
I've recently put a Cisco ASA 5510 in and I'm having a problem with a Static NAT port forward.
The Outside interface has multiple IP's assigned and had been configured with a port forward as below:
Type: Static
Original Source: webserver
Original Service: https
Translated Interface: external
Translated Address: external
Translated Service: https
This works fine if users access on the first IP of the block (e.g 1.1.1.1) however when someone tries to come in on a different IP (e.g. 1.1.1.2) it gives a 'TCP connection denied flags SYN on interface external' error.
Any suggestions? The above does work if I set the 1.1.1.2 as the specified IP however we ideally want all the external IP's to work.
The Outside interface has multiple IP's assigned and had been configured with a port forward as below:
Type: Static
Original Source: webserver
Original Service: https
Translated Interface: external
Translated Address: external
Translated Service: https
This works fine if users access on the first IP of the block (e.g 1.1.1.1) however when someone tries to come in on a different IP (e.g. 1.1.1.2) it gives a 'TCP connection denied flags SYN on interface external' error.
Any suggestions? The above does work if I set the 1.1.1.2 as the specified IP however we ideally want all the external IP's to work.
JFrederick29
That's because the port forward (static NAT) is using the ASA outside interface IP which I assume to be 1.1.1.1. You simply need to create additional statics (port forwards) for other connections inbound specifying the other IP's in the block as the translated address (1.1.1.2, 1.1.1.3, etc...).
ASKER
The problem with that is the external interface is configured with ipaddress/28 so if I try to set it up with 1.1.1.1 for example it errors saying it is the external interface? Will try it again incase I missed something :s
It is fine to use the external IP address as long as you are specifying a service (port forwarding) and not doing a 1-1 static NAT. You don't have to use the external interface IP address in the NAT config, you can use the other IP's in your /28 (1.1.1.2, 1.1.1.3, etc...).
ASKER
Still no luck, have tried to configure using the external IP block set specifically and it won't allow it.
1.1.1.2 is set to forward 443
1.1.1.1 won't configure as it believes it overlaps with the above.
If I set the forward on the External block it only works on 1.1.1.1 not the rest of the range. Am I missing something?1?
1.1.1.2 is set to forward 443
1.1.1.1 won't configure as it believes it overlaps with the above.
If I set the forward on the External block it only works on 1.1.1.1 not the rest of the range. Am I missing something?1?
Can you post your config "show run"? This will simplify things greatly.
ASKER
Sorry for the delay, have been working on some other issues.
The main line that I need to amend is below -
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255
I need to create an additional static entry like so -
static (trusted_lan,external) tcp 77.xx.xx.66 https srv_exchange https netmask 255.255.255.255
Unfortunately when i enter the above either with the ASDM or CLI it errors saying it conflicts with the existing rule.
I've pasted the below config if the entire config is preferred that's not a problem just a lot to sanitize :)
The main line that I need to amend is below -
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255
I need to create an additional static entry like so -
static (trusted_lan,external) tcp 77.xx.xx.66 https srv_exchange https netmask 255.255.255.255
Unfortunately when i enter the above either with the ASDM or CLI it errors saying it conflicts with the existing rule.
I've pasted the below config if the entire config is preferred that's not a problem just a lot to sanitize :)
!
interface Ethernet0/0
nameif external
security-level 0
ip address 77.xx.xx.66 255.255.255.240
!
interface Ethernet0/1
nameif trusted_lan
security-level 100
ip address 10.0.0.254 255.255.255.0
!
global (external) 101 interface
nat (trusted_lan) 0 access-list trusted_lan_nat0_outbound
nat (trusted_lan) 101 10.0.0.0 255.255.255.0
static (trusted_lan,external) tcp interface smtp srv_exchange smtp netmask 255.255.255.255
static (trusted_lan,external) tcp interface pop3 srv_exchange pop3 netmask 255.255.255.255
static (trusted_lan,external) tcp interface imap4 srv_exchange imap4 netmask 255.255.255.255
static (trusted_lan,external) tcp interface ftp srv_exchange ftp netmask 255.255.255.255
static (trusted_lan,external) tcp interface www srv_exchange www netmask 255.255.255.255
static (trusted_lan,external) tcp interface 3389 srv_exchange 3389 netmask 255.255.255.255
static (trusted_lan,external) tcp interface 4899 srv_exchange 4899 netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.67 www srv_spapps www netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.73 3389 srv_spapps 3389 netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.68 3389 srv_fpsrv 3389 netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.68 www srv_sql www netmask 255.255.255.255
static (trusted_lan,external) tcp 77.xx.xx.69 3389 srv_sql 3389 netmask 255.255.255.255
access-group external_access_in in interface external
access-group trusted_lan_access_in in interface trusted_lan
route external 0.0.0.0 0.0.0.0 77.xx.xx.65 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or if using IIS, I believe you can use "host headers" (I think that's what it is called). So, essentially, you would use a single IP www.websitea.com and www.websiteb.com would resolve to the same IP address but IIS would look at the HTTP header and server the proper site based on the host header.
ASKER
Sorry for the delay, in switching over from a watchguard that we seemed to be able to do this on. I've had to update external DNS records to point to different IP's on the interface etc and this seems to be ok now. Many thanks!