MPI-AP
asked on
Replacing Checkpoint NG AI Firewall with Cisco ASA 5520
Hi
Im trying to replace a checkpoint NG AI Firewall thats securing a web hosting farm with several internal web servers running about 25 web sites.. I wan to replace the Checkpoint with a Cisco ASA 5520, running OS 8. One of the key implementations on the checkpoint that I need to replicate is a port redirection thats in place for all the web sites.. Which maps from a public IP to an internal IP and a different host.. i.e.
On the checkpoint side in destination field there is
www.zzzz.com static NAT to Y public IP.
www.kkk.com static NAT to Q public IP.
www.hhh.com static NAT to K public IP.
And so on for all the web sites..
On the service field there is a custom built service which has a match i.e. under advanced that has this&
SRV_REDIRECT(80,192.168.2. 6,82)
SRV_REDIRECT(82,192.168.2. 6,92)
SRV_REDIRECT(100,192.168.2 .2,101)
SRV_REDIRECT(110,192.168.2 .2,111)
And so on for all the web sites, for both https and http..
I assumed its a simple case of doing a PAT, so on the ASA I setup a static NAT where I put in the public IP on the original source field and on the translated to section inside interface and inside IP and enable PAT and put in the source and destination ports as above.. I also added the usual allow any traffic from any where to the public IP on the outside interface Access list&
All this does not seem to work on the ASA, works fine on the Checkpoint, Im sure Ive got it totally wrong & Any idea ??
Thanks
Im trying to replace a checkpoint NG AI Firewall thats securing a web hosting farm with several internal web servers running about 25 web sites.. I wan to replace the Checkpoint with a Cisco ASA 5520, running OS 8. One of the key implementations on the checkpoint that I need to replicate is a port redirection thats in place for all the web sites.. Which maps from a public IP to an internal IP and a different host.. i.e.
On the checkpoint side in destination field there is
www.zzzz.com static NAT to Y public IP.
www.kkk.com static NAT to Q public IP.
www.hhh.com static NAT to K public IP.
And so on for all the web sites..
On the service field there is a custom built service which has a match i.e. under advanced that has this&
SRV_REDIRECT(80,192.168.2.
SRV_REDIRECT(82,192.168.2.
SRV_REDIRECT(100,192.168.2
SRV_REDIRECT(110,192.168.2
And so on for all the web sites, for both https and http..
I assumed its a simple case of doing a PAT, so on the ASA I setup a static NAT where I put in the public IP on the original source field and on the translated to section inside interface and inside IP and enable PAT and put in the source and destination ports as above.. I also added the usual allow any traffic from any where to the public IP on the outside interface Access list&
All this does not seem to work on the ASA, works fine on the Checkpoint, Im sure Ive got it totally wrong & Any idea ??
Thanks
www.zzzz.com static NAT to Y public IP.
www.kkk.com static NAT to Q public IP.
www.hhh.com static NAT to K public IP.
SRV_REDIRECT(80,192.168.2.6,82)
SRV_REDIRECT(82,192.168.2.6,92)
SRV_REDIRECT(100,192.168.2.2,101)
SRV_REDIRECT(110,192.168.2.2,111)
ASKER
Hi,
Isn't that the case when its an outgoing NAT i.e. inside host (192.168.2.x) accessing the internet, then we translate from the internal private IP to the external public IP.
What's going on here is the public Internet users are accessing the web sites that are hosted on the internal private IP range. But the users access it via the public IP, each public IP port 80 is mapped to a different port on an internal private IP, so its a sort of a NAT in reverse i.e. outside to inside... And thats the part thats does not work on the ASA.
Thanks
Regards
Isn't that the case when its an outgoing NAT i.e. inside host (192.168.2.x) accessing the internet, then we translate from the internal private IP to the external public IP.
What's going on here is the public Internet users are accessing the web sites that are hosted on the internal private IP range. But the users access it via the public IP, each public IP port 80 is mapped to a different port on an internal private IP, so its a sort of a NAT in reverse i.e. outside to inside... And thats the part thats does not work on the ASA.
Thanks
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The original source is the internal 192.168.2.x ip address and the translated to is the public IP.