Solved

Cisco ASA 5510 Port Forwarding ASDM

Posted on 2013-06-26
5
1,564 Views
Last Modified: 2013-07-15
Hi everyone, I'm using the Cisco ASDM gui interface to put a quick port forwarding rule in.

Basically I have a application on our network that needs to be accessed via the web which requires a few ports forwarded.

I followed these two guides located here:

http://www.agrypnia.com/blog/2010/11/17/cisco-asa-port-forwarding-rdp-using-asdm.html

and

http://www.youtube.com/watch?v=MW2_Rc9vj3o


==========================


Everything is going great besides one small problem. Being a little bit of a newbie I want to ask your advise on what should I do.

I put the NAT static rule in for port 22 for example and it worked just fine...

However when I put the NAT static rule in for 443, it states it will not let me do this, because the static rule is already been applied somewhere else...which shows me there is indeed a rule already in place, but it's pointing towards our small business server.

I need this ported forwarded also to point to this other application server I have.


How do I go about this without screwing up the config for the small business server?
0
Comment
Question by:Pancake_Effect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 334 total points
ID: 39278713
If you are port forwarding 443 to one server you cannot also forward it to another server.

Should you need 443 on two internal servers, you need additional public IPs and should ask your ISP for a /29 (check to see if they charge) and have it routed to your outside IP.

If this is incorrect, please post your nat statements and the inside IP of this new web server.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 39278813
That makes sense, and I called them and we do have a 3 extra available to us, one is already in use for another application at 2.2.2.2 for example.

Would we need a interface dedicated for each IP address? I see for example on our main outside address it states:

interface Ethernet0/0
 nameif outside
 security-level 100
 ip address 1.1.1.1 255.255.255.128

However for the other one in use already at (2.2.2.2) I don't see a interface created for it, looks like it's just defined in the nat and access rules.

Will that be all that I have to do?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 334 total points
ID: 39278844
You probably ought to consider just using a dedicated IP and not mess with port forwarding.

That IP will either get routed individually or as part of a subnet or it's part of the subnet of the outside interface and when you create your static nat entry, all that's left is to update the outside access list to allow that traffic into the firewall.
0
 
LVL 6

Assisted Solution

by:pgstephan
pgstephan earned 166 total points
ID: 39303445
If your internet provider is saying you have another 3 extra IP address, then you have been allocated a total of 4 Public IP address (a /30 public range).

I would recommend you use as few public IP addresses as possible and leverage port forwarding on your firewalls to forward the inbound traffic to the relevant server.

Make sure you check first the ports required for your applications and that they don't share the same ports (or whether they all use SSL (443)). If they don't then continue with your port forwarding but please know that the ASA will accept a single port forwarding rule per port.
A good way of looking at this would be to get your IP address and go on a BGP public looking glass for any of the Tier-1 Internet carriers (Level3, Verizon or AT&T) and put your IP address then you'll know your total public range if it's /30 and you'll know the rest of the information about your specific route.

Please let me know if that helps.

HTH.
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 39326719
Thanks everyone, that was very helpful. I ended up using another IP just because we had one not in use, and I figured I would change the ports for any other application if they have to use the same ports in the future. It's nice to know I can do that though.

Everything is working great now, thanks!
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question