04-01-2009 06:33 AM - edited 03-11-2019 08:13 AM
I have a Symantec Gateway (SG) appliance that I'm converting from to an ASA 5550. I have a slight problem, and I don't think there's a workaround.
The SG allows for us to create a rule that allows external traffic in, and then it will forward this traffic to individual hosts. The individual hosts don't need public addresses to forward to.
Example:
Allow public address into port 3330 and forward to private host 192.168.3.20.
I don't believe I can do this with the ASA without having a public address assigned to 192.168.3.20 and then doing translation based on that:
static (inside, outside) public ip 192.168.3.20 netmask 255.255.255.255
Is there a way to do it other than this?
Thanks,
John
Solved! Go to Solution.
04-01-2009 07:26 AM
yes, that command will work fine. and good use on the 'interface' keyword btw.
remember to use the "interface outside" key phrase in your ACL's.
04-01-2009 06:40 AM
Hi John,
You can do port redirection with NAT, like so
static (inside,outside) tcp 195.1.1.1 2001 192.168.3.20 ssh netmask 255.255.255.255
static (inside,outside) tcp 195.1.1.1 2002 192.168.3.21 ssh netmask 255.255.255.255
static (inside,outside) tcp 195.1.1.1 2003 192.168.3.22 ssh netmask 255.255.255.255
access-list in_on_outside permit tcp any host 195.1.1.1 range 2001 2003
Regards
04-01-2009 06:44 AM
James,
Thanks for the response. The problem is the SG allows for a rule to be created with no associated public address. Would I be able to do something like:
static (inside,outside) tcp interface 3330 192.168.3.20 3330 netmask 255.255.255.255
The problem is that I don't want to assign public addresses to these two hosts. (Actually, I'm not sure why we would really see traffic coming into the network from these public addresses; they're web servers, but apparently run on different ports over a special client.)
Thanks,
John
04-01-2009 07:15 AM
Hi John,
I believe your command should work. I'm not exactly sure what you're trying to achieve but this will direct all requests going to the ASA IP on port 3330 to your inside host.
Regards
04-01-2009 07:26 AM
yes, that command will work fine. and good use on the 'interface' keyword btw.
remember to use the "interface outside" key phrase in your ACL's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide