Solved

Cisco ASA Firewall rules \NAT\PAT

Posted on 2009-06-29
7
808 Views
Last Modified: 2013-11-16
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?

The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
 security-level 50

The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
 

Outside Int
 12.16.14.113
    |
    |

   ASA ------- DMZ INT
             192.168.1.1
    |             |
    |             |
    |           Switch
    |             |
    |             |
    |        Web Host - Prt 443
    |          192.168.1.5
 Inside Int
 172.16.1.10

0
Comment
Question by:ctna
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24736857
static (DMZ,outside) tcp 12.16.14.113 443 192.168.1.5 443 netmask 255.255.255.255

and add a rule to your outside ACL:

access-list outside_in extended permit tcp any interface outside eq 443

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:ctna
ID: 24737223
I get the following error, any ideas?

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24737529
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255


Regards,

3nerds
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:ctna
ID: 24737594
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:ctna
ID: 24737615
correction in the config line below

Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24737622
Yes those are fine.

It assumes the outside interface because you have this line in your config:

global (outside) 1 interface

Good Luck,

3nerds
0
 
LVL 1

Author Closing Comment

by:ctna
ID: 31597949
Thanks for the help.. makes sense
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CCNA Data center exam questions 8 82
Cisco ASA inside & outside to same switch 3 41
Guest Wi-Fi Marketing solution required 8 64
WAN Site Edge Routers 15 50
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now