Solved: 2 External Ports to same Internal Port on ASA

paulhawker · ‎05-16-2010

Hi,

We have a webserver behind an ASA 5520 which has a static NAT setup to forward TCP port 80 traffic through to the private address of the server on port 80 which is working fine.

We are having an issue with one site on the internet being unable to access the webserver properly, and we believe it is due to that particular ISP caching or interfering with port 80 traffic.

In order to test this theory and put in a workaround for this site, we'd like to be able to access this website from another port in additon to port 80 (say 81) without making any changes to the server itself.

Is it possible to have 2 external port numbers (80 and 81) both statically NATing to the same server and internal port?

We would rather keep it working on port 80 for simplicity for most users, but just give this problematic site a different URL using port 81.

Many thanks for your help.

Jennifer Halim · ‎05-16-2010

Same result, unfortunately you can't port redirect to the same internal server and same port.

Here is the result:

ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255

View solution in original post

Jennifer Halim · ‎05-16-2010

No, you can't unfortunately use a single public ip address with 2 different external port numbers and getting it redirect to the same server on the same port.

I have just tested it quickly in the lab, and here is the result:

ASA(config)# sh run static
static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255

ASA(config)# static (inside,outside) tcp 100.1.1.2 81 192.168.0.2 80 netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255

Hope that helps.

paulhawker · ‎05-16-2010

Ah that is a shame, but thank you very much for testing it out for me.

How about if we changed just the external IP address for port 81, e.g. (using your lab example):

static (inside,outside) tcp 100.1.1.2 www 192.168.0.2 www netmask 255.255.255.255

static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 80 netmask 255.255.255.255

Do you think that would work instead?

Jennifer Halim · ‎05-16-2010

Same result, unfortunately you can't port redirect to the same internal server and same port.

Here is the result:

ASA(config)# static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.0.2/80 to outside:100.1.1.2/80 netmask 255.255.255.255

Daniel Algarin · ‎11-24-2014

Old thread but I happened to run into this and thought I would post just in case someone else ran into the issue.

The only way to configure this is to use a combination of port nat and 1:1 nat. However, the order of the nat is important. If you already have a 1:1 NAT, you must remove it and add the port nat, then add the 1:1 nat back:

no static (inside,outside) 100.1.1.3 192.168.0.2 netmask 255.255.255.255
static (inside,outside) tcp 100.1.1.3 81 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) 100.1.1.3 192.168.0.2 netmask 255.255.255.255

The net effect is that both external 80 and 81 will be NAT'd to 80 on the inside for inbound connections.