Port forwarding on PIX and ASA

Answered Question
Jan 5th, 2010

Hello

I would like to get a second opinion if the below config will work on Cisco PIX or ASA on 7.0 version. Basically configuring the port forwarding to different servers on a LAN on port www on different public IPs

interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.10 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 11.12.13.14
access-list outside_in extended permit tcp any host 11.12.13.10 eq www
static (inside,outside) tcp 11.12.13.10 www 10.0.5.12 www netmask 255.255.255.255
access-list outside_in extended permit tcp any host 11.12.13.11 eq www
static (inside,outside) tcp 11.12.13.11 www 10.0.5.22 www netmask 255.255.255.255

So this would be routing via second WAN IP 11.12.13.11 to same port www and forward to a different server 10.0.5.22

Thank you

I have this problem too.
0 votes
Correct Answer by vilaxmi about 7 years 2 weeks ago

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).

Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.

HTH

Vijaya

Correct Answer by Joe B Danford about 7 years 3 weeks ago

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.

If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Correct Answer by Federico Coto F... about 7 years 3 weeks ago

Hi,

This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22

Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22

Let me know.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Tue, 01/05/2010 - 14:29

Hi,

This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22

Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22

Let me know.

Federico.

sarat1317 Thu, 01/07/2010 - 06:24

I appreciate all your responses. I tested it and and worked. Thank you

Correct Answer
Joe B Danford Tue, 01/05/2010 - 14:36

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.

If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Correct Answer
vilaxmi Wed, 01/06/2010 - 20:42

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).

Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.

HTH

Vijaya

Actions

This Discussion

Related Content