Solved

Cisco ASA Firewall rules \NAT\PAT

Posted on 2009-06-29
7
842 Views
Last Modified: 2013-11-16
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?

The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
 security-level 50

The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
 

Outside Int
 12.16.14.113
    |
    |

   ASA ------- DMZ INT
             192.168.1.1
    |             |
    |             |
    |           Switch
    |             |
    |             |
    |        Web Host - Prt 443
    |          192.168.1.5
 Inside Int
 172.16.1.10

0
Comment
Question by:ctna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24736857
static (DMZ,outside) tcp 12.16.14.113 443 192.168.1.5 443 netmask 255.255.255.255

and add a rule to your outside ACL:

access-list outside_in extended permit tcp any interface outside eq 443

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:ctna
ID: 24737223
I get the following error, any ideas?

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24737529
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255


Regards,

3nerds
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 1

Author Comment

by:ctna
ID: 24737594
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:ctna
ID: 24737615
correction in the config line below

Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24737622
Yes those are fine.

It assumes the outside interface because you have this line in your config:

global (outside) 1 interface

Good Luck,

3nerds
0
 
LVL 1

Author Closing Comment

by:ctna
ID: 31597949
Thanks for the help.. makes sense
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question