Help with PAT on Cisco ASA 5520

Unanswered Question
Dec 16th, 2008

Hi,

I have a Cisco ASA 5520 and wonder if this is possible.

We have a server (172.24.10.13) on a VLAN off our 5520 that needs to connect to a SQL server (192.168.200.5) on the inside. No problem there, but I they want the VLAN server to user port 9999 instead of 1433 for SQL but want the inside SQL server to "see" the 9999 port traffic as 1433, possible?

I thought there might be a way to translate traffic sent as TCP 9999 to TCP 1433 before it his 192.168.200.5.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/16/2008 - 10:34

Sure, it's call a port translation. Below is an example. Here we translate port 8080 on a public IP to port 80 on the inside web server.

static (inside,outside) tcp 69.222.73.5 8080 192.168.1.20 80 netmask 255.255.255.255

Hope that helps.

whiteford Tue, 12/16/2008 - 11:51

Thanks, I guess I will just need to add an access list for this aswell? Like an allow any to 69.222.73.5 to 8080?

whiteford Tue, 12/16/2008 - 12:59

hmm, still having no luck.

I added:

static (DMZ_Web_Servers,inside) tcp 192.168.200.5 1433 172.24.10.13 9877 netmask 255.255.255.255

then added an access list to allow 172.24.10.13 to 192.168.200.5 on port 9877

I then tried to telnet to "192.168.200.5 9877" and it failed.

Collin Clark Tue, 12/16/2008 - 13:06

In your NAT statement your DMZ client is looking to 172.24.10.13 on port 9877 for SQL access. Is that correct? If so can you check your log when it fails?

whiteford Tue, 12/16/2008 - 13:21

My DMZ client is 172.24.10.13 and needs to use TCP 9877 to the inside server 192.168.200.5 and PAT to TCP 1433

Collin Clark Tue, 12/16/2008 - 13:50

You'll need a new NAT address that translates to the inside. Something like this-

static (DMZ_Web_Servers,inside) tcp [new NAT IP] 9877 192.168.200.5 1433 netmask 255.255.255.255

whiteford Tue, 12/16/2008 - 13:54

I see, so I can't use the IP of teh DMZ server I need to use this PAT and only server can use this?

whiteford Tue, 12/16/2008 - 14:00

So I can use a random IP address from from the DMZ sunbet that is not in use?

Collin Clark Tue, 12/16/2008 - 14:02

Most people setup a special subnet just for NAT, but if you didn't then grabbing a local IP should work. However your current NAT's are setup.

curhed Tue, 12/16/2008 - 14:19

Hi, just got curious, but shouldn't you have your static and acl statements like this?

static (inside, DMZ_Web_Servers) tcp 192.168.200.5 9877 192.168.200.5 1433 netmask 255.255.255.255

then add acl to (DMZ-int in) permit tcp host 172.24.10.13 host 192.168.200.5 eq 9877

This is just what I understood from the 1st post...

whiteford Wed, 12/17/2008 - 01:07

Hi.

Well the server on 172.24.10.13 in the DMZ needs to access the SQL server on 192.168.200.5 on the inside on TCP Port 9877, however 192.168.200.5 is only receiving traffic on TCP port 1433 from 172.24.10.13 so we need to PAT 9877 somehow.

Collin Clark Wed, 12/17/2008 - 06:53

I thought that's what you wanted? The DMZ server thinks SQL is running on port 9877, but it's really running on 1433 on the inside host. The NAT statement translates port 9877 to 1433. Please correct my thinking.

whiteford Wed, 12/17/2008 - 07:12

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Collin Clark Wed, 12/17/2008 - 07:24

Most places (at least that I see) do not NAT between the DMZ and the inside network, they just route. NAT will work but it just makes it more confusing and harder to troubleshoot! The NAT can really be in any subnet, the firewall just needs to know that it is responsible for the IP or subnet. If you're unsure if you're NATing between DMZ and inside, post your NAT, Global, and statics statements.

whiteford Wed, 12/17/2008 - 07:39

Thanks, should this NAT be turned off on the ASA, if so how? I would much prefer this to be easier :)

Collin Clark Wed, 12/17/2008 - 13:10

Look for a nat 0 statement or you could be translating the internal subnet or just IP's.

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

or

static (inside,dmz) 192.168.200.5 192.168.200.5 netmask 255.255.255.255

whiteford Wed, 12/17/2008 - 07:12

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

whiteford Wed, 12/17/2008 - 07:12

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Actions

This Discussion