Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NAT Port Forwarding on a Cisco ASA 5510 with ASDM

Posted on 2009-04-14
9
Medium Priority
?
2,515 Views
Last Modified: 2012-05-06
I've recently put a Cisco ASA 5510 in and I'm having a problem with a Static NAT port forward.

The Outside interface has multiple IP's assigned and had been configured with a port forward as below:

Type: Static
Original Source: webserver
Original Service: https
Translated Interface: external
Translated Address: external
Translated Service: https

This works fine if users access on the first IP of the block (e.g 1.1.1.1) however when someone tries to come in on a different IP (e.g. 1.1.1.2) it gives a 'TCP connection denied flags SYN on interface external' error.

Any suggestions? The above does work if I set the 1.1.1.2 as the specified IP however we ideally want all the external IP's to work.
0
Comment
Question by:v0r73x
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139462
That's because the port forward (static NAT) is using the ASA outside interface IP which I assume to be 1.1.1.1.  You simply need to create additional statics (port forwards) for other connections inbound specifying the other IP's in the block as the translated address (1.1.1.2, 1.1.1.3, etc...).
0
 

Author Comment

by:v0r73x
ID: 24139976
The problem with that is the external interface is configured with ipaddress/28 so if I try to set it up with 1.1.1.1 for example it errors saying it is the external interface? Will try it again incase I missed something :s
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24140028
It is fine to use the external IP address as long as you are specifying a service (port forwarding) and not doing a 1-1 static NAT.  You don't have to use the external interface IP address in the NAT config, you can use the other IP's in your /28 (1.1.1.2, 1.1.1.3, etc...).
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:v0r73x
ID: 24145571
Still no luck, have tried to configure using the external IP block set specifically and it won't allow it.

1.1.1.2 is set to forward 443
1.1.1.1 won't configure as it believes it overlaps with the above.

If I set the forward on the External block it only works on 1.1.1.1 not the rest of the range. Am I missing something?1?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24147226
Can you post your config "show run"?  This will simplify things greatly.
0
 

Author Comment

by:v0r73x
ID: 24206399
Sorry for the delay, have been working on some other issues.

The main line that I need to amend is below -
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255

I need to create an additional static entry like so -
static (trusted_lan,external) tcp 77.xx.xx.66 https srv_exchange https netmask 255.255.255.255

Unfortunately when i enter the above either with the ASDM or CLI it errors saying it conflicts with the existing rule.

I've pasted the below config if the entire config is preferred that's not a problem just a lot to sanitize :)
!
interface Ethernet0/0
 nameif external
 security-level 0
 ip address 77.xx.xx.66 255.255.255.240 
!
interface Ethernet0/1
 nameif trusted_lan
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
!
global (external) 101 interface
nat (trusted_lan) 0 access-list trusted_lan_nat0_outbound
nat (trusted_lan) 101 10.0.0.0 255.255.255.0
static (trusted_lan,external) tcp interface smtp srv_exchange smtp netmask 255.255.255.255 
static (trusted_lan,external) tcp interface pop3 srv_exchange pop3 netmask 255.255.255.255 
static (trusted_lan,external) tcp interface imap4 srv_exchange imap4 netmask 255.255.255.255 
static (trusted_lan,external) tcp interface ftp srv_exchange ftp netmask 255.255.255.255 
static (trusted_lan,external) tcp interface www srv_exchange www netmask 255.255.255.255 
static (trusted_lan,external) tcp interface 3389 srv_exchange 3389 netmask 255.255.255.255 
static (trusted_lan,external) tcp interface 4899 srv_exchange 4899 netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.67 https srv_exchange https netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.67 www srv_spapps www netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.73 3389 srv_spapps 3389 netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.68 3389 srv_fpsrv 3389 netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.68 www srv_sql www netmask 255.255.255.255 
static (trusted_lan,external) tcp 77.xx.xx.69 3389 srv_sql 3389 netmask 255.255.255.255   
access-group external_access_in in interface external
access-group trusted_lan_access_in in interface trusted_lan
route external 0.0.0.0 0.0.0.0 77.xx.xx.65 1

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24206693
Ahh, okay, that won't work.  You can't have two external IP's mapped to one internal IP.  The firewall has no way of knowing which one to use.

Are there two websites on that server that you want access to from the outside?  If so, the second website will need to answer on a different/virtual IP address.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24206739
Or if using IIS, I believe you can use "host headers" (I think that's what it is called).  So, essentially, you would use a single IP www.websitea.com and www.websiteb.com would resolve to the same IP address but IIS would look at the HTTP header and server the proper site based on the host header.
0
 

Author Closing Comment

by:v0r73x
ID: 31569959
Sorry for the delay, in switching over from a watchguard that we seemed to be able to do this on. I've had to update external DNS records to point to different IP's on the interface etc and this seems to be ok now. Many thanks!
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question