Cisco ASA Firewall rules \NAT\PAT
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?
The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
security-level 50
The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
Outside Int
12.16.14.113
|
|
ASA ------- DMZ INT
192.168.1.1
| |
| |
| Switch
| |
| |
| Web Host - Prt 443
| 192.168.1.5
Inside Int
172.16.1.10
The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
security-level 50
The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
Outside Int
12.16.14.113
|
|
ASA ------- DMZ INT
192.168.1.1
| |
| |
| Switch
| |
| |
| Web Host - Prt 443
| 192.168.1.5
Inside Int
172.16.1.10
ASKER
I get the following error, any ideas?
Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255
Regards,
3nerds
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255
Regards,
3nerds
ASKER
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!
static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
ASKER
correction in the config line below
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!
static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!
static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help.. makes sense
and add a rule to your outside ACL:
access-list outside_in extended permit tcp any interface outside eq 443
Good Luck,
3nerds