09-08-2010 10:11 AM - edited 03-06-2019 12:53 PM
I have an asa 5500 router. I am routing public traffic to one or more web servers that are behine the firewall.
I have a rule that NAT''s
outside xxx.xxx.xxx.001 on port 80, to private ip 192.168.1.101 on port 80
outside xxx.xxx.xxx.001 on port 1080, to private ip 192.168.1.40 on port 1080
outside xxx.xxx.xxx.001 on port 2080, to private ip 192.168.1.50 on port 2080
the first entry is an address in a NLB cluster that can be set to any server dynamically. Entries 2&3 alow me to direct traffic to a desired server (the 192.167.1.40 and 50 are not part of the cluster).
All this works fine. I want to duplicate this on multiple outside ip's. For example:
outside xxx.xxx.xxx.002 on port 1080 to private 192.168.1.40 on port 1080
When I try and configure this, I get an error saying it overlaps with another rule.
If this would work, I would use the host header to route the traffic in the web server to the appropriate site.
Is there a way to configure this? I am using the GUI to configure it.
09-08-2010 12:16 PM
davealessi wrote:
I have an asa 5500 router. I am routing public traffic to one or more web servers that are behine the firewall.
I have a rule that NAT''s
outside xxx.xxx.xxx.001 on port 80, to private ip 192.168.1.101 on port 80
outside xxx.xxx.xxx.001 on port 1080, to private ip 192.168.1.40 on port 1080
outside xxx.xxx.xxx.001 on port 2080, to private ip 192.168.1.50 on port 2080
the first entry is an address in a NLB cluster that can be set to any server dynamically. Entries 2&3 alow me to direct traffic to a desired server (the 192.167.1.40 and 50 are not part of the cluster).
All this works fine. I want to duplicate this on multiple outside ip's. For example:
outside xxx.xxx.xxx.002 on port 1080 to private 192.168.1.40 on port 1080
When I try and configure this, I get an error saying it overlaps with another rule.
If this would work, I would use the host header to route the traffic in the web server to the appropriate site.
Is there a way to configure this? I am using the GUI to configure it.
Dave
Unfortunately no. Unless you can use policy NAT ie. identify which source IPs are coming in from the internet to which address then no you can't do this because of the overlap. But is it unlikely you can do this.
Jon
09-08-2010 04:10 PM
Hello,
Here is a sample configuration you could use:
access-list pnat1 permit tcp host 192.168.1.101 eq 1080 any
access-list pnat2 permit tcp host 192.168.1.101 eq 1080 any
static (inside,outside) tcp xxx.xxx.xxx.001 1080 access-list pnat1
static (inside,outside) tcp xxx.xxx.xxx.002 1080 access-list pnat2
This will ensure that the firewall will accept connections on both addresses
and translates it to the inside server.
Hope this helps.
Regards,
NT
09-09-2010 01:56 AM
NT
Thanks for posting this. I seem to remember seeing this solution before (on NetPro) but i completely forgot about it +5
Jon
09-11-2010 03:58 AM
I am having problems with this...
I created the access lists. (BTW: Is there a way to see the access lists in the GUI?)
When I try and add the static routes, it gives an error message:
"ERROR: access-list used in static has different local addresses"
Here is the accrual stuff I entered:
access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any
access-list Nat1 permit tcp host 192.168.1.50 eq 2080 any
static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat1 (won't take this)
static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat2 (won't take this)
I want traffic on xxx.34.249.198 and xxx.34.249.199 to route traffic to the private address 192.168.1.40 if it comes in on 1080, or 192.168.1.50 if it comes in on 2080.
09-11-2010 07:36 AM
Hello,
You cannot mix the IP addresses in the Policy-NAT. Please try the following.
access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any
access-list Nat2 permit tcp host 192.168.1.40 eq 1080 any
access-list Nat3 permit tcp host 192.168.1.50 eq 2080 any
access-list Nat4 permit tcp host 192.168.1.50 eq 2080 any
static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat1
static (inside,outside) tcp xxx.34.249.199 1080 access-list Nat2
static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat3
static (inside,outside) tcp xxx.34.249.199 2080 access-list Nat4
Hope this helps.
Regards,
NT
09-13-2010 02:42 AM
How can I view the access-list in the GUI? I have this partially working, however I am getting errors on some of the rules. I think I may have set them up correctly, and I cannot find how to view or remove them. When I do a show access-list, here is what I get...How do I clean this up?
access-list Mail; 1 elements
access-list Mail line 1 extended permit tcp any any eq smtp (hitcnt=0) 0xe7e20b19
access-list Nat1; 2 elements
access-list Nat1 line 1 extended permit tcp host 192.168.1.40 eq 1080 any (hitcnt=0) 0xacd38216
access-list Nat1 line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x34dcf205
access-list Nat3; 2 elements
access-list Nat3 line 1 remark Allow access to superglide on isc sites (qa, prod, demo, etc.)
access-list Nat3 line 2 remark Allow access to superglide on isc sites (qa, prod, demo, etc.)
access-list Nat3 line 3 extended permit tcp host 192.168.1.40 eq 1080 any (hitcnt=0) 0x37058c3a
access-list Nat3 line 4 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x37b82f3d
access-list Nat4; 1 elements
access-list Nat4 line 1 remark Allow access to Ultraglide for ISC sites
access-list Nat4 line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x89b7258f
access-list inside_nat_static; 1 elements
access-list inside_nat_static line 1 remark Allow access to ISC sites on ultraglide
access-list inside_nat_static line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0xd8718611
09-13-2010 05:34 AM
Hello,
You can see the access-lists by going to
Configuration>Firewall>Access-rules
If a specific set of NAT are not working, can you please make sure that the
server is listening on that port and it's default gateway is set to the
firewall?
Regards,
NT
09-13-2010 11:09 AM
I don't see "firewall" under configuration. I see "interfaces", Security policy", "Nat", etc.
Also, when I try and edit the security policy and ass a comment, it gives me errors. Unfortunately, the system will not allow me to copy the error message.
It says - access list Nat4 line2 extended permit tcp host ....... found duplicate element
no access list Nat4 line 3 ...Specified access list does not exist at that line
What does all this mean?
09-13-2010 03:25 AM
Please disregard my prior comment. I found how to remove the access lists.
clear config access-list Nat1
clear config access-list Nat2
clear config access-list Nat3
clear config access-list Nat4
access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any
access-list Nat2 permit tcp host 192.168.1.40 eq 1080 any
access-list Nat3 permit tcp host 192.168.1.50 eq 2080 any
access-list Nat4 permit tcp host 192.168.1.50 eq 2080 any
static (inside,outside) tcp xxx.34.249.197 1080 access-list Nat1
static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat2
static (inside,outside) tcp xxx.34.249.197 2080 access-list Nat3
static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat4
After entering the previous commands, it works on Nat1 & Nat2, but not on Nat3 and Nat4.
Ideas?
I would still like to know how to view access lists in the GUI. Is it possible?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: