05-16-2010 02:22 AM - edited 03-11-2019 10:46 AM
Hi,
We have a webserver behind an ASA 5520 which has a static NAT setup to forward TCP port 80 traffic through to the private address of the server on port 80 which is working fine.
We are having an issue with one site on the internet being unable to access the webserver properly, and we believe it is due to that particular ISP caching or interfering with port 80 traffic.
In order to test this theory and put in a workaround for this site, we'd like to be able to access this website from another port in additon to port 80 (say 81) without making any changes to the server itself.
Is it possible to have 2 external port numbers (80 and 81) both statically NATing to the same server and internal port?
We would rather keep it working on port 80 for simplicity for most users, but just give this problematic site a different URL using port 81.
Many thanks for your help.
Solved! Go to Solution.
05-16-2010 04:27 AM
Same result, unfortunately you can't port redirect to the same internal server and same port.
Here is the result:
ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255
05-16-2010 04:08 AM
No, you can't unfortunately use a single public ip address with 2 different external port numbers and getting it redirect to the same server on the same port.
I have just tested it quickly in the lab, and here is the result:
ASA(config)# sh run static
static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255
ASA(config)# static (inside,outside) tcp 100.1.1.2 81 192.168.0.2 80 netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255
Hope that helps.
05-16-2010 04:17 AM
Ah that is a shame, but thank you very much for testing it out for me.
How about if we changed just the external IP address for port 81, e.g. (using your lab example):
static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 80 netmask 255.255.255.255
Do you think that would work instead?
05-16-2010 04:27 AM
Same result, unfortunately you can't port redirect to the same internal server and same port.
Here is the result:
ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255
11-24-2014 11:14 AM
Old thread but I happened to run into this and thought I would post just in case someone else ran into the issue.
The only way to configure this is to use a combination of port nat and 1:1 nat. However, the order of the nat is important. If you already have a 1:1 NAT, you must remove it and add the port nat, then add the 1:1 nat back:
no static (inside,outside) 100.1.1.3 192.168.0.2 netmask 255.255.255.255
static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) 100.1.1.3 192.168.0.2 netmask 255.255.255.255
The net effect is that both external 80 and 81 will be NAT'd to 80 on the inside for inbound connections.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: