Solved

NAT Port Forwarding on a Cisco ASA 5510 with ASDM

Posted on 2009-04-14
9
2,474 Views
Last Modified: 2012-05-06
I've recently put a Cisco ASA 5510 in and I'm having a problem with a Static NAT port forward.

The Outside interface has multiple IP's assigned and had been configured with a port forward as below:

Type: Static
Original Source: webserver
Original Service: https
Translated Interface: external
Translated Address: external
Translated Service: https

This works fine if users access on the first IP of the block (e.g 1.1.1.1) however when someone tries to come in on a different IP (e.g. 1.1.1.2) it gives a 'TCP connection denied flags SYN on interface external' error.

Any suggestions? The above does work if I set the 1.1.1.2 as the specified IP however we ideally want all the external IP's to work.
0
Comment
Question by:v0r73x
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139462
That's because the port forward (static NAT) is using the ASA outside interface IP which I assume to be 1.1.1.1.  You simply need to create additional statics (port forwards) for other connections inbound specifying the other IP's in the block as the translated address (1.1.1.2, 1.1.1.3, etc...).
0
 

Author Comment

by:v0r73x
ID: 24139976
The problem with that is the external interface is configured with ipaddress/28 so if I try to set it up with 1.1.1.1 for example it errors saying it is the external interface? Will try it again incase I missed something :s
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24140028
It is fine to use the external IP address as long as you are specifying a service (port forwarding) and not doing a 1-1 static NAT.  You don't have to use the external interface IP address in the NAT config, you can use the other IP's in your /28 (1.1.1.2, 1.1.1.3, etc...).
0
 

Author Comment

by:v0r73x
ID: 24145571
Still no luck, have tried to configure using the external IP block set specifically and it won't allow it.

1.1.1.2 is set to forward 443
1.1.1.1 won't configure as it believes it overlaps with the above.

If I set the forward on the External block it only works on 1.1.1.1 not the rest of the range. Am I missing something?1?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24147226
Can you post your config "show run"?  This will simplify things greatly.
0
 

Author Comment

by:v0r73x
ID: 24206399
Sorry for the delay, have been working on some other issues.

The main line that I need to amend is below -
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255

I need to create an additional static entry like so -
static (trusted_lan,external) tcp 77.xx.xx.66 https srv_exchange https netmask 255.255.255.255

Unfortunately when i enter the above either with the ASDM or CLI it errors saying it conflicts with the existing rule.

I've pasted the below config if the entire config is preferred that's not a problem just a lot to sanitize :)
!

interface Ethernet0/0

 nameif external

 security-level 0

 ip address 77.xx.xx.66 255.255.255.240 

!

interface Ethernet0/1

 nameif trusted_lan

 security-level 100

 ip address 10.0.0.254 255.255.255.0 

!

global (external) 101 interface

nat (trusted_lan) 0 access-list trusted_lan_nat0_outbound

nat (trusted_lan) 101 10.0.0.0 255.255.255.0

static (trusted_lan,external) tcp interface smtp srv_exchange smtp netmask 255.255.255.255 

static (trusted_lan,external) tcp interface pop3 srv_exchange pop3 netmask 255.255.255.255 

static (trusted_lan,external) tcp interface imap4 srv_exchange imap4 netmask 255.255.255.255 

static (trusted_lan,external) tcp interface ftp srv_exchange ftp netmask 255.255.255.255 

static (trusted_lan,external) tcp interface www srv_exchange www netmask 255.255.255.255 

static (trusted_lan,external) tcp interface 3389 srv_exchange 3389 netmask 255.255.255.255 

static (trusted_lan,external) tcp interface 4899 srv_exchange 4899 netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.67 www srv_spapps www netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.73 3389 srv_spapps 3389 netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.68 3389 srv_fpsrv 3389 netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.68 www srv_sql www netmask 255.255.255.255 

static (trusted_lan,external) tcp 77.xx.xx.69 3389 srv_sql 3389 netmask 255.255.255.255   

access-group external_access_in in interface external

access-group trusted_lan_access_in in interface trusted_lan

route external 0.0.0.0 0.0.0.0 77.xx.xx.65 1

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24206693
Ahh, okay, that won't work.  You can't have two external IP's mapped to one internal IP.  The firewall has no way of knowing which one to use.

Are there two websites on that server that you want access to from the outside?  If so, the second website will need to answer on a different/virtual IP address.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24206739
Or if using IIS, I believe you can use "host headers" (I think that's what it is called).  So, essentially, you would use a single IP www.websitea.com and www.websiteb.com would resolve to the same IP address but IIS would look at the HTTP header and server the proper site based on the host header.
0
 

Author Closing Comment

by:v0r73x
ID: 31569959
Sorry for the delay, in switching over from a watchguard that we seemed to be able to do this on. I've had to update external DNS records to point to different IP's on the interface etc and this seems to be ok now. Many thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now