How do I configure Cisco ASA 5510 to forward multiple ports to DMZ server

Posted on 2009-04-21
Last Modified: 2012-05-06
Hi, I have a Cisco ASA 5510 that has outside, dmz, and inside interfaces.   I have two servers in my dmz zone and that share a common public ip address:  x.46.166.10.   I need to direct all traffic from the public ip to one of the two servers based on the port that it comes in on as follows
       DMZ Server A: should receive
                      tcp 5566
                     udp 5567
                    upd 6004-6259
      DMZ Server B: should receive
                    tcp 8768
                    udp 8768
                   tcp 5051-5052
I've tried several variations of object-groups, access-lists and static nat but cannot seem to get the right combination.    What is the best way to configure this?
Question by:tom-affordablebuttons
    LVL 43

    Accepted Solution

    Here is an example.  Unfortunately, you need to create a static NAT for every port from 6004 - 6259 (copy and paste will help here).  Or, if you have two public IP's to use, you can dedicate one to one server and the other to the other DMZ server so you don't need to create hundreds of translations.

    access-list outside_access_in extended permit tcp any host x.46.166.10 eq 5566
    access-list outside_access_in extended permit udp any host x.46.166.10 eq 5567
    access-list outside_access_in extended permit udp any host x.46.166.10 range 6004 6259
    access-list outside_access_in extended permit tcp any host x.46.166.10 eq 8768
    access-list outside_access_in extended permit udp any host x.46.166.10 eq 8768
    access-list outside_access_in extended permit tcp any host x.46.166.10 range 5051 5052

    static (dmz,outside) tcp x.46.166.10 5566 5566 netmask
    static (dmz,outside) udp x.46.166.10 5567 5567 netmask
    static (dmz,outside) udp x.46.166.10 6004 6004 netmask
    static (dmz,outside) udp x.46.166.10 6005 6005 netmask
    static (dmz,outside) udp x.46.166.10 6006 6006 netmask
    static (dmz,outside) udp x.46.166.10 6007 6007 netmask
    static (dmz,outside) udp x.46.166.10 6008 6008 netmask
    static (dmz,outside) udp x.46.166.10 6259 6259 netmask
    static (dmz,outside) tcp x.46.166.10 8768 8768 netmask
    static (dmz,outside) udp x.46.166.10 8768 8768 netmask
    static (dmz,outside) tcp x.46.166.10 5051 5051 netmask
    static (dmz,outside) tcp x.46.166.10 5052 5052 netmask
    LVL 43

    Expert Comment

    You also need to apply the access-list to the interface if it doesn't already exist:

    access-group outside_access_in in interface outside

    Author Comment

    Thanks for the quick response... I was hoping that there would be some magic using nested object-groups and access-list on the static nat that would eliminate the hundreds of static entries... or is this best practic?
    LVL 43

    Expert Comment

    Really, if you have hundreds of ports to forward, best practice (and ease of configuration) would be to dedicate a public IP to each DMZ server but if that isn't possible, you can perhaps use Excel to auto fill 6004 - 6259 and use fill down for the other parts of the command.  Copy it into notepad and it should be formatted correctly :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now