How do I configure Cisco ASA 5510 to forward multiple ports to DMZ server
Hi, I have a Cisco ASA 5510 that has outside, dmz, and inside interfaces. I have two servers in my dmz zone 10.10.10.200 and 10.10.10.201 that share a common public ip address: x.46.166.10. I need to direct all traffic from the public ip to one of the two servers based on the port that it comes in on as follows
DMZ Server A: 10.10.10.200 should receive
tcp 5566
udp 5567
upd 6004-6259
DMZ Server B: 10.10.10.201 should receive
tcp 8768
udp 8768
tcp 5051-5052
I've tried several variations of object-groups, access-lists and static nat but cannot seem to get the right combination. What is the best way to configure this?
DMZ Server A: 10.10.10.200 should receive
tcp 5566
udp 5567
upd 6004-6259
DMZ Server B: 10.10.10.201 should receive
tcp 8768
udp 8768
tcp 5051-5052
I've tried several variations of object-groups, access-lists and static nat but cannot seem to get the right combination. What is the best way to configure this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the quick response... I was hoping that there would be some magic using nested object-groups and access-list on the static nat that would eliminate the hundreds of static entries... or is this best practic?
Really, if you have hundreds of ports to forward, best practice (and ease of configuration) would be to dedicate a public IP to each DMZ server but if that isn't possible, you can perhaps use Excel to auto fill 6004 - 6259 and use fill down for the other parts of the command. Copy it into notepad and it should be formatted correctly :)
access-group outside_access_in in interface outside