Solved

CISCO ASA 5510 - IP REDIRECT

Posted on 2010-09-10
11
960 Views
Last Modified: 2012-05-10
I am configuring a CISCO ASA 5510 and need to set up a redirection.

I want to translate one of the Public IP's to an internal network device IP.

Is this a static NAT route or access list.

Thanks

0
Comment
Question by:FlyingFortress
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 3

Accepted Solution

by:
Mystique_87 earned 250 total points
ID: 33644892
It has to be a static nat rule. Its format is as shown below:

static(inside, outside) <ipaddress1> <portno1> <ipaddress2> <portno2>

where :
<ipaddress1> is the destination ip address  of the request that appears at the outside interface
<portno1> is the destination port no of the request that appears on the outside interface
<ipaddress2> is the ip address of the internal ip address of the device to which the request is to be redirected to
<portno2> is the port no of the internal device to which the request is to be redirected to
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 250 total points
ID: 33644929
You also need to allow inbound traffic on outside acl. In that access-list you should use the outside ip address as destination.

Like:

static (inside,outside) 1.2.3.4 192.168.1.10

or

static (inside,outside) tcp 1.2.3.4 80 1921.68.1.10 80

(Mystique87 has a syntax error above)

and!

access-l OUTSIDE ext permit tcp any host 1.2.3.4 eq 80
access-g OUTSIDE in int outside

/Kvistofta
0
 
LVL 3

Expert Comment

by:Mystique_87
ID: 33645001
oh, I am sorry
the access-list is necessary
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 1

Author Closing Comment

by:FlyingFortress
ID: 33645103
Thanks v.Much
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33645315
Hi Sorry - I thought i was there but it does not seem to work

Here is the config

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 192.168.50.5 www 222.111.2.25 www netmask 255.255.255.255
static (inside,outside) tcp 192.168.50.5 https 222.111.2.25 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside

This is conecting to our remote support server

The outside address does not resolve?

I have checked the logs and get this - Deny IP Spoof



0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33645334
you need to turn your static around, swap the ip addresses.

static (inside,outside) tcp OUTSIDE-IP www INSIDE-IP www

/Kvistofta
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33645473
Hi - Thanks

However, i still dont seem to be able to access the server through the IP....?

Here is a some more info..


object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp eq www
 service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33645742
Here is the log from ping requests:

2      Sep 10 2010      05:28:18      106016                              Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside

It is saying the destination IP address is 0 ???....

Thanks
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33645838
How does your routing table look like? show route

/Kvistofta
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33645882
Gateway of last resort is 99.20.99.150 to network 0.0.0.0

C    99.20.99.150 255.255.255.248 is directly connected, outside
C    192.168.50.0 255.255.255.0 is directly connected, inside
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via 99.20.99.150, outside

I can open another question if you would like points as this is spidering into seperate issues.....
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33645911
The server is saying failure to detect proxy server if that is any help.

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question