Help with PAT on Cisco ASA 5520

Unanswered Question
Dec 16th, 2008
User Badges:

Hi,


I have a Cisco ASA 5520 and wonder if this is possible.


We have a server (172.24.10.13) on a VLAN off our 5520 that needs to connect to a SQL server (192.168.200.5) on the inside. No problem there, but I they want the VLAN server to user port 9999 instead of 1433 for SQL but want the inside SQL server to "see" the 9999 port traffic as 1433, possible?


I thought there might be a way to translate traffic sent as TCP 9999 to TCP 1433 before it his 192.168.200.5.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/16/2008 - 10:34
User Badges:
  • Purple, 4500 points or more

Sure, it's call a port translation. Below is an example. Here we translate port 8080 on a public IP to port 80 on the inside web server.


static (inside,outside) tcp 69.222.73.5 8080 192.168.1.20 80 netmask 255.255.255.255


Hope that helps.

whiteford Tue, 12/16/2008 - 11:51
User Badges:

Thanks, I guess I will just need to add an access list for this aswell? Like an allow any to 69.222.73.5 to 8080?


whiteford Tue, 12/16/2008 - 12:59
User Badges:

hmm, still having no luck.


I added:


static (DMZ_Web_Servers,inside) tcp 192.168.200.5 1433 172.24.10.13 9877 netmask 255.255.255.255


then added an access list to allow 172.24.10.13 to 192.168.200.5 on port 9877


I then tried to telnet to "192.168.200.5 9877" and it failed.


Collin Clark Tue, 12/16/2008 - 13:06
User Badges:
  • Purple, 4500 points or more

In your NAT statement your DMZ client is looking to 172.24.10.13 on port 9877 for SQL access. Is that correct? If so can you check your log when it fails?

whiteford Tue, 12/16/2008 - 13:21
User Badges:

My DMZ client is 172.24.10.13 and needs to use TCP 9877 to the inside server 192.168.200.5 and PAT to TCP 1433

Collin Clark Tue, 12/16/2008 - 13:39
User Badges:
  • Purple, 4500 points or more

Do you NAT between your DMZ or route?

Collin Clark Tue, 12/16/2008 - 13:50
User Badges:
  • Purple, 4500 points or more

You'll need a new NAT address that translates to the inside. Something like this-


static (DMZ_Web_Servers,inside) tcp [new NAT IP] 9877 192.168.200.5 1433 netmask 255.255.255.255

whiteford Tue, 12/16/2008 - 13:54
User Badges:

I see, so I can't use the IP of teh DMZ server I need to use this PAT and only server can use this?

Collin Clark Tue, 12/16/2008 - 13:56
User Badges:
  • Purple, 4500 points or more

Yes, but anyone can use it, you'll restrict that with the ACL.

whiteford Tue, 12/16/2008 - 14:00
User Badges:

So I can use a random IP address from from the DMZ sunbet that is not in use?

Collin Clark Tue, 12/16/2008 - 14:02
User Badges:
  • Purple, 4500 points or more

Most people setup a special subnet just for NAT, but if you didn't then grabbing a local IP should work. However your current NAT's are setup.

curhed Tue, 12/16/2008 - 14:19
User Badges:

Hi, just got curious, but shouldn't you have your static and acl statements like this?


static (inside, DMZ_Web_Servers) tcp 192.168.200.5 9877 192.168.200.5 1433 netmask 255.255.255.255


then add acl to (DMZ-int in) permit tcp host 172.24.10.13 host 192.168.200.5 eq 9877


This is just what I understood from the 1st post...


whiteford Wed, 12/17/2008 - 01:07
User Badges:

Hi.


Well the server on 172.24.10.13 in the DMZ needs to access the SQL server on 192.168.200.5 on the inside on TCP Port 9877, however 192.168.200.5 is only receiving traffic on TCP port 1433 from 172.24.10.13 so we need to PAT 9877 somehow.

Collin Clark Wed, 12/17/2008 - 06:53
User Badges:
  • Purple, 4500 points or more

I thought that's what you wanted? The DMZ server thinks SQL is running on port 9877, but it's really running on 1433 on the inside host. The NAT statement translates port 9877 to 1433. Please correct my thinking.

whiteford Wed, 12/17/2008 - 07:12
User Badges:

You are right, I have 2 answers which are different.


I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Collin Clark Wed, 12/17/2008 - 07:24
User Badges:
  • Purple, 4500 points or more

Most places (at least that I see) do not NAT between the DMZ and the inside network, they just route. NAT will work but it just makes it more confusing and harder to troubleshoot! The NAT can really be in any subnet, the firewall just needs to know that it is responsible for the IP or subnet. If you're unsure if you're NATing between DMZ and inside, post your NAT, Global, and statics statements.

whiteford Wed, 12/17/2008 - 07:39
User Badges:

Thanks, should this NAT be turned off on the ASA, if so how? I would much prefer this to be easier :)

Collin Clark Wed, 12/17/2008 - 13:10
User Badges:
  • Purple, 4500 points or more

Look for a nat 0 statement or you could be translating the internal subnet or just IP's.


static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0


or


static (inside,dmz) 192.168.200.5 192.168.200.5 netmask 255.255.255.255


whiteford Wed, 12/17/2008 - 07:12
User Badges:

You are right, I have 2 answers which are different.


I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

whiteford Wed, 12/17/2008 - 07:12
User Badges:

You are right, I have 2 answers which are different.


I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Actions

This Discussion