Can you do this in the ASA?

Answered Question
Apr 1st, 2009
User Badges:
  • Purple, 4500 points or more

I have a Symantec Gateway (SG) appliance that I'm converting from to an ASA 5550. I have a slight problem, and I don't think there's a workaround.


The SG allows for us to create a rule that allows external traffic in, and then it will forward this traffic to individual hosts. The individual hosts don't need public addresses to forward to.


Example:


Allow public address into port 3330 and forward to private host 192.168.3.20.


I don't believe I can do this with the ASA without having a public address assigned to 192.168.3.20 and then doing translation based on that:


static (inside, outside) public ip 192.168.3.20 netmask 255.255.255.255


Is there a way to do it other than this?


Thanks,

John

Correct Answer by srue about 8 years 3 months ago

yes, that command will work fine. and good use on the 'interface' keyword btw.

remember to use the "interface outside" key phrase in your ACL's.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JamesLuther Wed, 04/01/2009 - 06:40
User Badges:
  • Silver, 250 points or more

Hi John,


You can do port redirection with NAT, like so


static (inside,outside) tcp 195.1.1.1 2001 192.168.3.20 ssh netmask 255.255.255.255

static (inside,outside) tcp 195.1.1.1 2002 192.168.3.21 ssh netmask 255.255.255.255

static (inside,outside) tcp 195.1.1.1 2003 192.168.3.22 ssh netmask 255.255.255.255


access-list in_on_outside permit tcp any host 195.1.1.1 range 2001 2003



Regards

John Blakley Wed, 04/01/2009 - 06:44
User Badges:
  • Purple, 4500 points or more

James,


Thanks for the response. The problem is the SG allows for a rule to be created with no associated public address. Would I be able to do something like:


static (inside,outside) tcp interface 3330 192.168.3.20 3330 netmask 255.255.255.255


The problem is that I don't want to assign public addresses to these two hosts. (Actually, I'm not sure why we would really see traffic coming into the network from these public addresses; they're web servers, but apparently run on different ports over a special client.)


Thanks,

John

JamesLuther Wed, 04/01/2009 - 07:15
User Badges:
  • Silver, 250 points or more

Hi John,


I believe your command should work. I'm not exactly sure what you're trying to achieve but this will direct all requests going to the ASA IP on port 3330 to your inside host.




Regards

Correct Answer
srue Wed, 04/01/2009 - 07:26
User Badges:
  • Blue, 1500 points or more

yes, that command will work fine. and good use on the 'interface' keyword btw.

remember to use the "interface outside" key phrase in your ACL's.

Actions

This Discussion