Solved

Cisco ASA Firewall rules \NAT\PAT

Posted on 2009-06-29
7
819 Views
Last Modified: 2013-11-16
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?

The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
 security-level 50

The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
 

Outside Int
 12.16.14.113
    |
    |

   ASA ------- DMZ INT
             192.168.1.1
    |             |
    |             |
    |           Switch
    |             |
    |             |
    |        Web Host - Prt 443
    |          192.168.1.5
 Inside Int
 172.16.1.10

0
Comment
Question by:ctna
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24736857
static (DMZ,outside) tcp 12.16.14.113 443 192.168.1.5 443 netmask 255.255.255.255

and add a rule to your outside ACL:

access-list outside_in extended permit tcp any interface outside eq 443

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:ctna
ID: 24737223
I get the following error, any ideas?

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24737529
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255


Regards,

3nerds
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:ctna
ID: 24737594
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:ctna
ID: 24737615
correction in the config line below

Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24737622
Yes those are fine.

It assumes the outside interface because you have this line in your config:

global (outside) 1 interface

Good Luck,

3nerds
0
 
LVL 1

Author Closing Comment

by:ctna
ID: 31597949
Thanks for the help.. makes sense
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now