Port forwarding on PIX and ASA

Answered Question
Jan 5th, 2010
User Badges:

Hello


I would like to get a second opinion if the below config will work on Cisco PIX or ASA on 7.0 version. Basically configuring the port forwarding to different servers on a LAN on port www on different public IPs


interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.10 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 11.12.13.14
access-list outside_in extended permit tcp any host 11.12.13.10 eq www
static (inside,outside) tcp 11.12.13.10 www 10.0.5.12 www netmask 255.255.255.255
access-list outside_in extended permit tcp any host 11.12.13.11 eq www
static (inside,outside) tcp 11.12.13.11 www 10.0.5.22 www netmask 255.255.255.255

So this would be routing via second WAN IP 11.12.13.11 to same port www and forward to a different server 10.0.5.22



Thank you

Correct Answer by vilaxmi about 7 years 4 months ago

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).


Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.


HTH


Vijaya

Correct Answer by Joe B Danford about 7 years 4 months ago

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.


If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.


packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]


packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Correct Answer by Federico Coto F... about 7 years 4 months ago

Hi,


This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22


Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22


Let me know.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Tue, 01/05/2010 - 14:29
User Badges:
  • Green, 3000 points or more

Hi,


This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22


Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22


Let me know.


Federico.

sarat1317 Thu, 01/07/2010 - 06:24
User Badges:

I appreciate all your responses. I tested it and and worked. Thank you

Correct Answer
Joe B Danford Tue, 01/05/2010 - 14:36
User Badges:
  • Cisco Employee,

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.


If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.


packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]


packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Correct Answer
vilaxmi Wed, 01/06/2010 - 20:42
User Badges:
  • Cisco Employee,

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).


Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.


HTH


Vijaya

Actions

This Discussion

Related Content