Solved

ASA PAT rule

Posted on 2011-09-19
10
860 Views
Last Modified: 2012-08-13
I have a cisco ASA. A vendor has asked me to setup a PAT rule from an outisde IP to the DMZ IP of a server. IP info is:

Outside IP: 173.219.37.x
DMZ IP: 192.168.10.x

The Vendor has asked for this:
Internet to DMZ server
48622 Public IP ---> 48622 DMZ IP
443 Public IP ---> 8443 DMZ IP

I have assigned a NAT rule from the DMZ IP to the Public IP.
I have created the access rule allowing any from the outside to the public IP on port 48622 and 443

What I am not sure about is the rule changing the port from 443 to 8443. I want to be sure that not all 443 traffic hitting the firewall is directed to the one server as I have other web based servers using https.

I am learning cisco ASA setup as I go, so I apologize if this is an odd question.

Thanks for any help and insite.
0
Comment
Question by:jamesddavis
  • 4
  • 3
  • 3
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36560835
Well, if you only have one public ip you can only forward port 443 once.....

So if you want to forward port 443 to multiple servers, you will need multiple public ip's as well (one 443 port per ip address only).
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 36560879
Technically, this is a port-forwarding request, not a PAT request.    

You want to take a public IP and have those ports redirected inside to a server on the DMZ.    Then you create the access list to allow the traffic.   It would looklike this:


static (dmz,outside) tcp 173.219.37.x 48622 192.168.10.x 48622 netmask 255.255.255.255
static (dmz,outside) tcp 173.219.37.x 443 192.168.10.x 443 netmask 255.255.255.255

access-list outside_in extended permit tcp any host 173.219.37.x eq 48622
access-list outside_in extended permit tcp any host 173.219.37.x eq 48622

access-group outside_in in interface outside


Now this would have to fit into your config, so the acl name may be different, etc.   Plus, you can only forward the 443 to one internal host, so if you have 443 already going to another internal host, this won't fly.  
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36560889
Oops , this:
access-list outside_in extended permit tcp any host 173.219.37.x eq 48622
access-list outside_in extended permit tcp any host 173.219.37.x eq 48622

should be this:
access-list outside_in extended permit tcp any host 173.219.37.x eq 48622
access-list outside_in extended permit tcp any host 173.219.37.x eq 443
0
 

Author Comment

by:jamesddavis
ID: 36561063
Sorry, I have multiple outside IP addresses provided by my ISP. I am using one of those IP addresses, 173.219.37.x, for the DMZ host 192.168.10.x with a static NAT.

Sorry for the incorrect wording, I am looking to port forward not PAT.

So if I only want traffic coming to IP 173.219.37.x on port 443 to be changed to port 8443 to the DMZ server mentioned, would the config above be correct?

Thanks,



0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36561088
Yes it would. To forward a second port 443, you'll need a second public, etc.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jamesddavis
ID: 36561114
OK, now where in the above statement is it changing from 443 to 8443? Just making sure I understand. This is a learning exercise as much as it is getting this setup.

Thanks,
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36561281
Good catch, it isn't. It should be:
static (dmz,outside) tcp 173.219.37.x 443 192.168.10.x 8443 netmask 255.255.255.255
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36561559
Thank you ernie... I missed that...  
443 Public IP ---> 8443 DMZ IP


0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36561720
My pleasure ;)
0
 

Author Closing Comment

by:jamesddavis
ID: 36562271
Thanks for the help, I thought that was the case, but wanted to be sure. Didn't want to break all of my other https web servers.

Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now