Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA Firewall rules \NAT\PAT

Posted on 2009-06-29
7
Medium Priority
?
877 Views
Last Modified: 2013-11-16
I need to configure my Cisco ASA to allow port 443 to a web host in the DMZ. How do I redirect traffic sent to the external IP to the host in the DMZ network?

The firewall has three interfaces configured as follows, interface Ethernet0/0 = outside -security-level 0, interface Ethernet0/1 = inside - security-level 100, interface Ethernet0/2 = dmz
 security-level 50

The inside interface is 172.16.1.10, DMZ interface is 192.168.1.1, Outside interface 12.16.14.113, web host 192.168.1.5 .. See below
 

Outside Int
 12.16.14.113
    |
    |

   ASA ------- DMZ INT
             192.168.1.1
    |             |
    |             |
    |           Switch
    |             |
    |             |
    |        Web Host - Prt 443
    |          192.168.1.5
 Inside Int
 172.16.1.10

0
Comment
Question by:ctna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24736857
static (DMZ,outside) tcp 12.16.14.113 443 192.168.1.5 443 netmask 255.255.255.255

and add a rule to your outside ACL:

access-list outside_in extended permit tcp any interface outside eq 443

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:ctna
ID: 24737223
I get the following error, any ideas?

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24737529
Like this:
static (DMZ,outside) tcp interface 443 192.168.1.5 443 netmask 255.255.255.255


Regards,

3nerds
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:ctna
ID: 24737594
Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.240 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.240 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.240 ssh netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:ctna
ID: 24737615
correction in the config line below

Will this work? The ASA took the commands.... How does the word interface know what NIC to use.. the Outside NIC? I'm a bit confused?? please let me know if the lines below are okay and any explanation would be great!

static (dmz,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (dmz,outside) udp interface 1194 192.168.1.5 1194 netmask 255.255.255.255
static (dmz,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
0
 
LVL 13

Accepted Solution

by:
3nerds earned 2000 total points
ID: 24737622
Yes those are fine.

It assumes the outside interface because you have this line in your config:

global (outside) 1 interface

Good Luck,

3nerds
0
 
LVL 1

Author Closing Comment

by:ctna
ID: 31597949
Thanks for the help.. makes sense
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question