Solved

Cisco ASA Firewall rules \NAT\PAT

Posted on 2009-06-29
7
793 Views
Last Modified: 2013-11-16
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?

The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
 security-level 50

The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
 

Outside Int
 12.16.14.113
    |
    |

   ASA ------- DMZ INT
             192.168.1.1
    |             |
    |             |
    |           Switch
    |             |
    |             |
    |        Web Host - Prt 443
    |          192.168.1.5
 Inside Int
 172.16.1.10

0
Comment
Question by:ctna
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
static (DMZ,outside) tcp 12.16.14.113 443 192.168.1.5 443 netmask 255.255.255.255

and add a rule to your outside ACL:

access-list outside_in extended permit tcp any interface outside eq 443

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:ctna
Comment Utility
I get the following error, any ideas?

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255


Regards,

3nerds
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:ctna
Comment Utility
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:ctna
Comment Utility
correction in the config line below

Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
Comment Utility
Yes those are fine.

It assumes the outside interface because you have this line in your config:

global (outside) 1 interface

Good Luck,

3nerds
0
 
LVL 1

Author Closing Comment

by:ctna
Comment Utility
Thanks for the help.. makes sense
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now