08-07-2008 10:35 PM - edited 03-11-2019 06:28 AM
Hi!
I want to forward wan traffic from x.x.x.202 x.x.x.203 255.255.255.248 to the same internal IP (Webserver)
I only succeded in doing this for the first ip: x.x.x.202
how can i assign a "secondary" wan ip to be forward also to the internal interface port?
thanks
marco
Solved! Go to Solution.
08-08-2008 12:59 AM
hi there
as i mentioned above
creat second ip in ur server go to tcp/ip properties
the chose altenate IP and give it for example
192.168.0.4
and do the following
static (inside,outside) tcp interface www 192.168.0.4 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.4 https netmask 255.255.255.255
and make ACL to allow traffic for that second public ip
simple
08-07-2008 10:51 PM
Marco, can I ask you, when you say forward two WAN IPs is a bit confusing, perhaps you meant to map two public IPs to single inside IP (Webserver)? can you clarify ?
Rgds
Jorge
08-07-2008 11:18 PM
yes i want to map two wan ips (from the same subnet!!!) to one single internal ip
08-07-2008 10:52 PM
what i sugest you to do is
in the internal server give it secondary ip address
then on the ASA make maping NAT as u don the first time
but this time from the seconf public ip to the seondary server ip address
and should work fine
good luck
please, if helful rate
08-07-2008 11:09 PM
hi!
i want to forward the wan x.x.x.202 and x.x.x.203 to 192.168.0.2
the 192.168.0.1 -> is the lan ip of the asa 5505
how can i configure a second ip ont the asa interfaces? they are in the same subnets....
i cannot assign a secondary ip to vlan2....
08-07-2008 11:11 PM
my config sofar:
ciscoasa(config-if)# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
nameif inside
security-level 40
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 40
ip address x.x.x.202 255.255.255.248
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
: end
08-07-2008 11:35 PM
I see , you are using x.x.x.202 outside interface ip for port forwarding towards 192.168.0.2 .. fine.., the easiest way around it is as Marwan suggested , give 192.168.0.2 host a secondary IP address in tcpip config like 192.168.0.3, then create static nat using your second public x.x.x.203 and nat it to 192.168.0.3
nat (inside,outside) x.x.x.203 192.168.0.3 netmask 255.255.255.0
and respective acl and service ports.
This will be the easiest way to do it.
08-07-2008 11:47 PM
hi
nat is not enabled... can i do this anyway?
08-08-2008 12:14 AM
Here:
static (inside,outside) tcp x.203 www 192.168.0.5 www netmask 255.255.255.255
static (inside,outside) tcp x.203 https 192.168.0.5 https netmask 255.255.255.255
the 192 net is a 252 so i had to create a new one
but its still not working...
08-08-2008 12:59 AM
hi there
as i mentioned above
creat second ip in ur server go to tcp/ip properties
the chose altenate IP and give it for example
192.168.0.4
and do the following
static (inside,outside) tcp interface www 192.168.0.4 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.4 https netmask 255.255.255.255
and make ACL to allow traffic for that second public ip
simple
08-08-2008 02:17 AM
thansk for the info
but when i do this for the 192.168.0.2 and then for the 192.168.0.4 i get
ERROR: mapped-address conflict with existing static
TCP inside:192.168.0.4/80 to outside:
08-08-2008 04:18 AM
simple yes
i did it with the same private ip
works
thanks!
08-08-2008 04:21 AM
Congrtulations!
could u tell what u have done then worked?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: