Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1049
  • Last Modified:

Cisco ASA 5510 - Can I port forward the same port to different internal IP's using different URLs?

I have a Cisco ASA 5510 and only one public IP address.  Does anyone know if it is possible to port forward 3389 to different IP addresses using different URL's?

Example:

remote.domain.com  = port 3389  - 10.1.1.100
remote2.domain.com = port 3389 - 10.1.1.200
0
SihleIns
Asked:
SihleIns
  • 6
  • 4
  • 4
2 Solutions
 
Ernie BeekExpertCommented:
Nope, just one port (3389) per static.
You could forward another outside port to a 3389 on the inside though.
0
 
SihleInsAuthor Commented:
How do you assign multiple IP addresses to one physical connection with an ASA 5510?
0
 
MikeKaneCommented:
What ernie meant was that you can have different ports on the outside forward to specific ports on the inside.  

So port 3389 would forward to HostA on 3389
port 3390 would forward to HostB on 3389
port 3391 would forward to Host C on 3389
and so on.  

The NATs would look like this:
static (inside,outside) tcp interface 3389 <hostA ip> 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 <hostB ip> 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 <hostC ip> 3389 netmask 255.255.255.255

Then, allow the traffic with an ACL

access-list outside_in extended permit tcp any interface eq 3389
access-list outside_in extended permit tcp any interface eq 3390
access-list outside_in extended permit tcp any interface eq 3391

access-group outside_in in interface outside
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Ernie BeekExpertCommented:
Thx Mike, it's always kind of a hassle to type a load of text on a mobile screen (even a 4.3 one :)
0
 
MikeKaneCommented:
No sweat, ernie.    
0
 
SihleInsAuthor Commented:
Ok thanks I understand that, but what if I wanted to have multiple IP's so I can use the same port for two different internal IP addresses.  Is that possible with one physical connection or would I need two different interfaces so I can configure ACL and NAT rules individually?
0
 
Ernie BeekExpertCommented:
No, just interface will do. If you have a range of publics you can create statics for the other addresses (asa shown by Mike) as well.
0
 
Ernie BeekExpertCommented:
make that: just ONE interface........

Like I said, typing on a mobile :-~
0
 
MikeKaneCommented:
Well, if your ISP assigned you a block of IPs, then you can do this.    Can your ISP give you more than 1 IP?  

With multiple IPs you have the option of doing a 1 to 1 nat instead of a port forward (essentially forwards everything).  

The NATs would look like this:
static (inside,outside) outside_ip_1 <hostA ip> netmask 255.255.255.255
static (inside,outside) outside_ip_2 <hostB ip> netmask 255.255.255.255

Then, allow the traffic with an ACL

access-list outside_in extended permit tcp any outside_ip_3 eq 3389
access-list outside_in extended permit tcp any outside_ip_2 eq 3389

access-group outside_in in interface outside
0
 
MikeKaneCommented:
Wow - for typing on a moblie, you're fast...
0
 
Ernie BeekExpertCommented:
Wait till I'm on my tablet :))

0
 
Ernie BeekExpertCommented:
@SihleIns: almost forgot my manners, Thx for the points :)
0
 
SihleInsAuthor Commented:
When I try adding the Static NAT rule from say 3390 to 3389 I get an error because 3389 is already being forward to another internal IP address.  

This is the actual error:  This operation will modify the Static NAT Rule.  The Modified Static NAT Rule cannot be configured, as if overlaps with the following exisiting rules.

Any suggestions?
0
 
SihleInsAuthor Commented:
Nevermind.  I figured it out I am using the ASDM to configure this rule and I need to specific 3389 as the original port and not the translated port.  Thanks again for the help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now