Solved

Cisco ASA 5510 Port Forwarding ASDM

Posted on 2013-06-26
5
1,549 Views
Last Modified: 2013-07-15
Hi everyone, I'm using the Cisco ASDM gui interface to put a quick port forwarding rule in.

Basically I have a application on our network that needs to be accessed via the web which requires a few ports forwarded.

I followed these two guides located here:

http://www.agrypnia.com/blog/2010/11/17/cisco-asa-port-forwarding-rdp-using-asdm.html

and

http://www.youtube.com/watch?v=MW2_Rc9vj3o


==========================


Everything is going great besides one small problem. Being a little bit of a newbie I want to ask your advise on what should I do.

I put the NAT static rule in for port 22 for example and it worked just fine...

However when I put the NAT static rule in for 443, it states it will not let me do this, because the static rule is already been applied somewhere else...which shows me there is indeed a rule already in place, but it's pointing towards our small business server.

I need this ported forwarded also to point to this other application server I have.


How do I go about this without screwing up the config for the small business server?
0
Comment
Question by:Pancake_Effect
  • 2
  • 2
5 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 334 total points
ID: 39278713
If you are port forwarding 443 to one server you cannot also forward it to another server.

Should you need 443 on two internal servers, you need additional public IPs and should ask your ISP for a /29 (check to see if they charge) and have it routed to your outside IP.

If this is incorrect, please post your nat statements and the inside IP of this new web server.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 39278813
That makes sense, and I called them and we do have a 3 extra available to us, one is already in use for another application at 2.2.2.2 for example.

Would we need a interface dedicated for each IP address? I see for example on our main outside address it states:

interface Ethernet0/0
 nameif outside
 security-level 100
 ip address 1.1.1.1 255.255.255.128

However for the other one in use already at (2.2.2.2) I don't see a interface created for it, looks like it's just defined in the nat and access rules.

Will that be all that I have to do?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 334 total points
ID: 39278844
You probably ought to consider just using a dedicated IP and not mess with port forwarding.

That IP will either get routed individually or as part of a subnet or it's part of the subnet of the outside interface and when you create your static nat entry, all that's left is to update the outside access list to allow that traffic into the firewall.
0
 
LVL 6

Assisted Solution

by:pgstephan
pgstephan earned 166 total points
ID: 39303445
If your internet provider is saying you have another 3 extra IP address, then you have been allocated a total of 4 Public IP address (a /30 public range).

I would recommend you use as few public IP addresses as possible and leverage port forwarding on your firewalls to forward the inbound traffic to the relevant server.

Make sure you check first the ports required for your applications and that they don't share the same ports (or whether they all use SSL (443)). If they don't then continue with your port forwarding but please know that the ASA will accept a single port forwarding rule per port.
A good way of looking at this would be to get your IP address and go on a BGP public looking glass for any of the Tier-1 Internet carriers (Level3, Verizon or AT&T) and put your IP address then you'll know your total public range if it's /30 and you'll know the rest of the information about your specific route.

Please let me know if that helps.

HTH.
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 39326719
Thanks everyone, that was very helpful. I ended up using another IP just because we had one not in use, and I figured I would change the ports for any other application if they have to use the same ports in the future. It's nice to know I can do that though.

Everything is working great now, thanks!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now