Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I configure Cisco ASA 5510 to forward multiple ports to DMZ server

Posted on 2009-04-21
4
Medium Priority
?
557 Views
Last Modified: 2012-05-06
Hi, I have a Cisco ASA 5510 that has outside, dmz, and inside interfaces.   I have two servers in my dmz zone 10.10.10.200 and 10.10.10.201 that share a common public ip address:  x.46.166.10.   I need to direct all traffic from the public ip to one of the two servers based on the port that it comes in on as follows
       DMZ Server A:  10.10.10.200 should receive
                      tcp 5566
                     udp 5567
                    upd 6004-6259
      DMZ Server B:  10.10.10.201 should receive
                    tcp 8768
                    udp 8768
                   tcp 5051-5052
I've tried several variations of object-groups, access-lists and static nat but cannot seem to get the right combination.    What is the best way to configure this?
0
Comment
Question by:tom-affordablebuttons
  • 3
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1500 total points
ID: 24200677
Here is an example.  Unfortunately, you need to create a static NAT for every port from 6004 - 6259 (copy and paste will help here).  Or, if you have two public IP's to use, you can dedicate one to one server and the other to the other DMZ server so you don't need to create hundreds of translations.

access-list outside_access_in extended permit tcp any host x.46.166.10 eq 5566
access-list outside_access_in extended permit udp any host x.46.166.10 eq 5567
access-list outside_access_in extended permit udp any host x.46.166.10 range 6004 6259
access-list outside_access_in extended permit tcp any host x.46.166.10 eq 8768
access-list outside_access_in extended permit udp any host x.46.166.10 eq 8768
access-list outside_access_in extended permit tcp any host x.46.166.10 range 5051 5052

static (dmz,outside) tcp x.46.166.10 5566 10.10.10.200 5566 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 5567 10.10.10.200 5567 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 6004 10.10.10.200 6004 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 6005 10.10.10.200 6005 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 6006 10.10.10.200 6006 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 6007 10.10.10.200 6007 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 6008 10.10.10.200 6008 netmask 255.255.255.255
.....
static (dmz,outside) udp x.46.166.10 6259 10.10.10.200 6259 netmask 255.255.255.255
static (dmz,outside) tcp x.46.166.10 8768 10.10.10.201 8768 netmask 255.255.255.255
static (dmz,outside) udp x.46.166.10 8768 10.10.10.201 8768 netmask 255.255.255.255
static (dmz,outside) tcp x.46.166.10 5051 10.10.10.201 5051 netmask 255.255.255.255
static (dmz,outside) tcp x.46.166.10 5052 10.10.10.201 5052 netmask 255.255.255.255
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24200681
You also need to apply the access-list to the interface if it doesn't already exist:

access-group outside_access_in in interface outside
0
 

Author Comment

by:tom-affordablebuttons
ID: 24200699
Thanks for the quick response... I was hoping that there would be some magic using nested object-groups and access-list on the static nat that would eliminate the hundreds of static entries... or is this best practic?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24200735
Really, if you have hundreds of ports to forward, best practice (and ease of configuration) would be to dedicate a public IP to each DMZ server but if that isn't possible, you can perhaps use Excel to auto fill 6004 - 6259 and use fill down for the other parts of the command.  Copy it into notepad and it should be formatted correctly :)
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question