2 External Ports to same Internal Port on ASA

Answered Question
May 16th, 2010
User Badges:

Hi,

We have a webserver behind an ASA 5520 which has a static NAT setup to forward TCP port 80 traffic through to the private address of the server on port 80 which is working fine.


We are having an issue with one site on the internet being unable to access the webserver properly, and we believe it is due to that particular ISP caching or interfering with port 80 traffic.


In order to test this theory and put in a workaround for this site, we'd like to be able to access this website from another port in additon to port 80 (say 81) without making any changes to the server itself.


Is it possible to have 2 external port numbers (80 and 81) both statically NATing to the same server and internal port?


We would rather keep it working on port 80 for simplicity for most users, but just give this problematic site a different URL using port 81.


Many thanks for your help.

Correct Answer by Jennifer Halim about 6 years 10 months ago

Same result, unfortunately you can't port redirect to the same internal server and same port.


Here is the result:


ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
  TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Sun, 05/16/2010 - 04:08
User Badges:
  • Cisco Employee,

No, you can't unfortunately use a single public ip address with 2 different external port numbers and getting it redirect to the same server on the same port.


I have just tested it quickly in the lab, and here is the result:


ASA(config)# sh run static
static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255


ASA(config)# static (inside,outside) tcp 100.1.1.2 81 192.168.0.2 80 netmask 255.255.255.255
ERROR: duplicate of existing static
  TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255


Hope that helps.

paulhawker Sun, 05/16/2010 - 04:17
User Badges:

Ah that is a shame, but thank you very much for testing it out for me.



How about if we changed just the external IP address for port 81, e.g. (using your lab example):


static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255


static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 80 netmask 255.255.255.255



Do you think that would work instead?

Correct Answer
Jennifer Halim Sun, 05/16/2010 - 04:27
User Badges:
  • Cisco Employee,

Same result, unfortunately you can't port redirect to the same internal server and same port.


Here is the result:


ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
  TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255

Daniel Algarin Mon, 11/24/2014 - 11:14
User Badges:

Old thread but I happened to run into this and thought I would post just in case someone else ran into the issue.

The only way to configure this is to use a combination of port nat and 1:1 nat.  However, the order of the nat is important.  If you already have a 1:1 NAT, you must remove it and add the port nat, then add the 1:1 nat back:  

no static (inside,outside)  100.1.1.3 192.168.0.2 netmask 255.255.255.255
static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
static (inside,outside)  100.1.1.3 192.168.0.2 netmask 255.255.255.255

The net effect is that both external 80 and 81 will be NAT'd to 80 on the inside for inbound connections.

Actions

This Discussion

Related Content