port forwarding

Unanswered Question

I have a Cisco 800 series router. I have several external IP's to use and I need to open port 443 for two internal servers. I can only configure PAT for one server which makes sense, however, I need to SSL for a second server. For example I have a Citrix machine needing to receive SSL and I have OWA and RPC over HTTP that needs to be received on the exchange machine. How can I configure one of my unused external IP's to forward to one of the internal machines while leaving the eternal IP on the external side of the firewall pointed to the other through PAT? I would appreciate any help. I have not configured any access lists or anything besides PAT.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 11/18/2007 - 23:45

Hi Kevin

Could you give a few more details. You mention a firewall , is that 800 router or a separate device. A quick topology of the network together with the IP addressing would help us.

Jon

Yes the Cisco 800 series router is also our firewall. We currently use PAT for port forwarding. We have a Citrix server that requires HTTPS access. We also have OWA and RPC over HTTP which (best practices) requires HTTPS access on our exchange server. All of this has worked beautifully for years until we recently changed our Cisco 800 series router/firewall. We lost our configuration and had to begin all over. Citrix is currently working over HTTPS however, I can't make another entry for HTTPS (port 443) in PAT to allow or forward RPC over HTTP request to a different Server. I'm using the exact same model of Cisco router/firewall as I did before so I know it has the capability. I just don't know the command. Here are some examples of our IP scheme

public IPS. 165.72.16.80-90

internal on firewall 192.168.1.1

Citrix 192.168.1.3

Exchange 192.168.1.4

If 165.72.16.80 is on the external side of the firewall, how do I take the next ip .81 and forward it to the exchange server 192.168.1.4?

Jon Marshall Mon, 11/19/2007 - 06:39

Kevin

ip nat inside source static 192.168.1.4 165.72.16.81

this is assuming you have

1) "ip nat inside" on your internal interface

2) "ip nat outside" on your external interface

You can then lock down with an access-list the port that is allowed to the internal server.

HTH

Jon

Hi, have a look at this config it may help you, also check out the link at the bottom.

If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface. In Figure 13-3, an outside server uses static NAT so that a translated address appears on the inside network.

Figure 13-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses

See the following commands for this example:

hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host

10.1.1.56

hostname(config)# access-group INSIDE in interface inside

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/traffic.html

Actions

This Discussion