Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
5
Helpful
4
Replies

Can you do this in the ASA?

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-01-2009 06:33 AM - edited ‎03-11-2019 08:13 AM

I have a Symantec Gateway (SG) appliance that I'm converting from to an ASA 5550. I have a slight problem, and I don't think there's a workaround.

The SG allows for us to create a rule that allows external traffic in, and then it will forward this traffic to individual hosts. The individual hosts don't need public addresses to forward to.

Example:

Allow public address into port 3330 and forward to private host 192.168.3.20.

I don't believe I can do this with the ASA without having a public address assigned to 192.168.3.20 and then doing translation based on that:

static (inside, outside) public ip 192.168.3.20 netmask 255.255.255.255

Is there a way to do it other than this?

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
srue
Level 7
Level 7
In response to JamesLuther

‎04-01-2009 07:26 AM

yes, that command will work fine. and good use on the 'interface' keyword btw.

remember to use the "interface outside" key phrase in your ACL's.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JamesLuther
Level 3
Level 3

‎04-01-2009 06:40 AM

Hi John,

You can do port redirection with NAT, like so

static (inside,outside) tcp 195.1.1.1 2001 192.168.3.20 ssh netmask 255.255.255.255

static (inside,outside) tcp 195.1.1.1 2002 192.168.3.21 ssh netmask 255.255.255.255

static (inside,outside) tcp 195.1.1.1 2003 192.168.3.22 ssh netmask 255.255.255.255

access-list in_on_outside permit tcp any host 195.1.1.1 range 2001 2003

Regards

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to JamesLuther

‎04-01-2009 06:44 AM

James,

Thanks for the response. The problem is the SG allows for a rule to be created with no associated public address. Would I be able to do something like:

static (inside,outside) tcp interface 3330 192.168.3.20 3330 netmask 255.255.255.255

The problem is that I don't want to assign public addresses to these two hosts. (Actually, I'm not sure why we would really see traffic coming into the network from these public addresses; they're web servers, but apparently run on different ports over a special client.)

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
JamesLuther
Level 3
Level 3
In response to John Blakley

‎04-01-2009 07:15 AM

Hi John,

I believe your command should work. I'm not exactly sure what you're trying to achieve but this will direct all requests going to the ASA IP on port 3330 to your inside host.

Regards

Go to solution
srue
Level 7
Level 7
In response to JamesLuther

‎04-01-2009 07:26 AM

yes, that command will work fine. and good use on the 'interface' keyword btw.

remember to use the "interface outside" key phrase in your ACL's.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card