Solved

Cisco ASA 5510 Port Forwarding ASDM

Posted on 2013-06-26
5
1,571 Views
Last Modified: 2013-07-15
Hi everyone, I'm using the Cisco ASDM gui interface to put a quick port forwarding rule in.

Basically I have a application on our network that needs to be accessed via the web which requires a few ports forwarded.

I followed these two guides located here:

http://www.agrypnia.com/blog/2010/11/17/cisco-asa-port-forwarding-rdp-using-asdm.html

and

http://www.youtube.com/watch?v=MW2_Rc9vj3o


==========================


Everything is going great besides one small problem. Being a little bit of a newbie I want to ask your advise on what should I do.

I put the NAT static rule in for port 22 for example and it worked just fine...

However when I put the NAT static rule in for 443, it states it will not let me do this, because the static rule is already been applied somewhere else...which shows me there is indeed a rule already in place, but it's pointing towards our small business server.

I need this ported forwarded also to point to this other application server I have.


How do I go about this without screwing up the config for the small business server?
0
Comment
Question by:Pancake_Effect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 334 total points
ID: 39278713
If you are port forwarding 443 to one server you cannot also forward it to another server.

Should you need 443 on two internal servers, you need additional public IPs and should ask your ISP for a /29 (check to see if they charge) and have it routed to your outside IP.

If this is incorrect, please post your nat statements and the inside IP of this new web server.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 39278813
That makes sense, and I called them and we do have a 3 extra available to us, one is already in use for another application at 2.2.2.2 for example.

Would we need a interface dedicated for each IP address? I see for example on our main outside address it states:

interface Ethernet0/0
 nameif outside
 security-level 100
 ip address 1.1.1.1 255.255.255.128

However for the other one in use already at (2.2.2.2) I don't see a interface created for it, looks like it's just defined in the nat and access rules.

Will that be all that I have to do?
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 334 total points
ID: 39278844
You probably ought to consider just using a dedicated IP and not mess with port forwarding.

That IP will either get routed individually or as part of a subnet or it's part of the subnet of the outside interface and when you create your static nat entry, all that's left is to update the outside access list to allow that traffic into the firewall.
0
 
LVL 6

Assisted Solution

by:pgstephan
pgstephan earned 166 total points
ID: 39303445
If your internet provider is saying you have another 3 extra IP address, then you have been allocated a total of 4 Public IP address (a /30 public range).

I would recommend you use as few public IP addresses as possible and leverage port forwarding on your firewalls to forward the inbound traffic to the relevant server.

Make sure you check first the ports required for your applications and that they don't share the same ports (or whether they all use SSL (443)). If they don't then continue with your port forwarding but please know that the ASA will accept a single port forwarding rule per port.
A good way of looking at this would be to get your IP address and go on a BGP public looking glass for any of the Tier-1 Internet carriers (Level3, Verizon or AT&T) and put your IP address then you'll know your total public range if it's /30 and you'll know the rest of the information about your specific route.

Please let me know if that helps.

HTH.
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 39326719
Thanks everyone, that was very helpful. I ended up using another IP just because we had one not in use, and I figured I would change the ports for any other application if they have to use the same ports in the future. It's nice to know I can do that though.

Everything is working great now, thanks!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question