Solved

Cisco ASA 5510 - Can I port forward the same port to different internal IP's using different URLs?

Posted on 2011-09-28
14
1,041 Views
Last Modified: 2012-05-12
I have a Cisco ASA 5510 and only one public IP address.  Does anyone know if it is possible to port forward 3389 to different IP addresses using different URL's?

Example:

remote.domain.com  = port 3389  - 10.1.1.100
remote2.domain.com = port 3389 - 10.1.1.200
0
Comment
Question by:SihleIns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 36717479
Nope, just one port (3389) per static.
You could forward another outside port to a 3389 on the inside though.
0
 

Author Comment

by:SihleIns
ID: 36717496
How do you assign multiple IP addresses to one physical connection with an ASA 5510?
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 250 total points
ID: 36717649
What ernie meant was that you can have different ports on the outside forward to specific ports on the inside.  

So port 3389 would forward to HostA on 3389
port 3390 would forward to HostB on 3389
port 3391 would forward to Host C on 3389
and so on.  

The NATs would look like this:
static (inside,outside) tcp interface 3389 <hostA ip> 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 <hostB ip> 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 <hostC ip> 3389 netmask 255.255.255.255

Then, allow the traffic with an ACL

access-list outside_in extended permit tcp any interface eq 3389
access-list outside_in extended permit tcp any interface eq 3390
access-list outside_in extended permit tcp any interface eq 3391

access-group outside_in in interface outside
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36717701
Thx Mike, it's always kind of a hassle to type a load of text on a mobile screen (even a 4.3 one :)
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36717805
No sweat, ernie.    
0
 

Author Comment

by:SihleIns
ID: 36717820
Ok thanks I understand that, but what if I wanted to have multiple IP's so I can use the same port for two different internal IP addresses.  Is that possible with one physical connection or would I need two different interfaces so I can configure ACL and NAT rules individually?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36717874
No, just interface will do. If you have a range of publics you can create statics for the other addresses (asa shown by Mike) as well.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36717889
make that: just ONE interface........

Like I said, typing on a mobile :-~
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36717903
Well, if your ISP assigned you a block of IPs, then you can do this.    Can your ISP give you more than 1 IP?  

With multiple IPs you have the option of doing a 1 to 1 nat instead of a port forward (essentially forwards everything).  

The NATs would look like this:
static (inside,outside) outside_ip_1 <hostA ip> netmask 255.255.255.255
static (inside,outside) outside_ip_2 <hostB ip> netmask 255.255.255.255

Then, allow the traffic with an ACL

access-list outside_in extended permit tcp any outside_ip_3 eq 3389
access-list outside_in extended permit tcp any outside_ip_2 eq 3389

access-group outside_in in interface outside
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36717908
Wow - for typing on a moblie, you're fast...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36718298
Wait till I'm on my tablet :))

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36718343
@SihleIns: almost forgot my manners, Thx for the points :)
0
 

Author Comment

by:SihleIns
ID: 36720215
When I try adding the Static NAT rule from say 3390 to 3389 I get an error because 3389 is already being forward to another internal IP address.  

This is the actual error:  This operation will modify the Static NAT Rule.  The Modified Static NAT Rule cannot be configured, as if overlaps with the following exisiting rules.

Any suggestions?
0
 

Author Comment

by:SihleIns
ID: 36720229
Nevermind.  I figured it out I am using the ASDM to configure this rule and I need to specific 3389 as the original port and not the translated port.  Thanks again for the help!
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question