asked on
How to Port Forward Multiple Ports to Different Destinations - ASA 9.x
Hi all,
I have a setup where I have 2 different internal devices that need to share the same external IP, but I want inbound traffic from external sources to go to one of the two different devices based on what destination ports are being used.
Device 1:
Internal IP 10.10.10.1
Listening on ports: TCP/UDP 80, TCP/UDP 8000, TCP/UDP 8001
Device 2:
Internal IP 10.10.10.2
Listening on ports: UDP 18000, UDP 19000
External Shared IP 1.1.1.1
So basically, if an outside source navigated to 1.1.1.1 at any of the TCP/UDP ports of 80, 8000, or 8001 they'd land on Device 1, but if they navigated to 2.2.2.2 at any UDP ports 18000 or 19000 they'd land on device 2.
I'm running ASA 9.3 code, and I see where I can do object nat and add the "service tcp" options, but I can only specify the one line there.
When I set it up with object groups as below:
object-group service DEVICE1_SERVICES
service-object object TCP_80
service-object object UDP_80
service-object object TCP_8000
service-object object UDP_8000
service-object object TCP_8001
service-object object UDP_8001
object-group service DEVICE2_SERVICES
service-object object UDP_18000
service-object object UDP_19000
And then Go to do a static nat configuration:
nat (inside,outside) source static DEVICE1_REAL DEVICE1_TRANSLATED service DEVICE1_SERVICES....
...it gives me an error stating that have to use a single service object at the end there, not a service GROUP.
So, I guess my question is - is there any way to accomplish this on ASA to where I don't have to have a separate NAT statement for each and every service I need translated? I have 48 total devices I need to do this with, and trying to keep the config under control.
I have a setup where I have 2 different internal devices that need to share the same external IP, but I want inbound traffic from external sources to go to one of the two different devices based on what destination ports are being used.
Device 1:
Internal IP 10.10.10.1
Listening on ports: TCP/UDP 80, TCP/UDP 8000, TCP/UDP 8001
Device 2:
Internal IP 10.10.10.2
Listening on ports: UDP 18000, UDP 19000
External Shared IP 1.1.1.1
So basically, if an outside source navigated to 1.1.1.1 at any of the TCP/UDP ports of 80, 8000, or 8001 they'd land on Device 1, but if they navigated to 2.2.2.2 at any UDP ports 18000 or 19000 they'd land on device 2.
I'm running ASA 9.3 code, and I see where I can do object nat and add the "service tcp" options, but I can only specify the one line there.
When I set it up with object groups as below:
object-group service DEVICE1_SERVICES
service-object object TCP_80
service-object object UDP_80
service-object object TCP_8000
service-object object UDP_8000
service-object object TCP_8001
service-object object UDP_8001
object-group service DEVICE2_SERVICES
service-object object UDP_18000
service-object object UDP_19000
And then Go to do a static nat configuration:
nat (inside,outside) source static DEVICE1_REAL DEVICE1_TRANSLATED service DEVICE1_SERVICES....
...it gives me an error stating that have to use a single service object at the end there, not a service GROUP.
So, I guess my question is - is there any way to accomplish this on ASA to where I don't have to have a separate NAT statement for each and every service I need translated? I have 48 total devices I need to do this with, and trying to keep the config under control.
Network Security
Last Comment
Harold Bowlin