cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1936
Views
0
Helpful
5
Replies

Can you do DMZ and NAT/PAT with a single public IP address on ASA5520?

layhlaing
Level 1
Level 1

Hi,

Can you do DMZ and NAT/PAT with a single public IP address on ASA5520? I have uplink in PPPoE and has only one public ip address. Would like to put anti-spam(eg. A.B.C.44) in the DMZ and there are a number of servers(eg. X.Y.Z.1, X.Y.Z.2 and X.Y.Z.3) that I want to NAT/PAT. Could someone please suggest how it should be implemented?

Two site-to-site IPSec tunnels have also been configured on this ASA.

Thanks to everyone in advance for your knowledge sharing.

regards,

Lay

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Lay,

You can do it. You need to configure what is called static NAT port translations.

For example lets say your public IP is 69.222.73.50

static (dmz,outside) tcp 69.222.73.50 25 A.B.C.44 25 netmask 255.255.255.255

! This static NAT port translation allows SMTP from the outside to your anti-spam server in the DMZ.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 443 X.Y.Z.2 443 netmask 255.255.255.255

! Here we create a couple of static NAT port translations to allow HTTP to one server and HTTPS to another.

There is always a gotcha. You cannot reuse multiple ports in use. For example it is forbidden to have these two statements together.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.2 80 netmask 255.255.255.255

! We are using port 80 on the outside and translating to two internal servers. This is not allowed. You can use one of them but not both.

There is a "work around". You can translate one port to another.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 8080 X.Y.Z.2 80 netmask 255.255.255.255

! In your web browser you would have to have http://69.222.73.50:8080

Hope it helps

Really appreciate for your help, Collin. Would I be able to continue my ADSM management (https) from "inside" interface? Last time, i was no longer able to do that until I undo that nat statement for DMZ. My statement might be not correct in some how. Will do and let you know.

Regards.

Lay

You should not lose your ASDM access, especially on the DMZ nat.

Hi Collin,

Thanks again for your time. I have managed put anti-spam server in DMZ and web server / mail server in inside network. They work correctly with NAT and PAT so is VPN. But I am having access denied for ssh connection. I can't ssh into the box from inside and dmz although I have  following:

ASA Version 8.3(1)

ASA(config)#crypto key generate rsa modulus 1024
ASA(config)#wr

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 dmz
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5

I was prompted to enter username and password but keep getting access denied. Could you please advise me with this ssh issue?

Regards,

Lay

Hi Collin

Please be informed that I have got SSH access after issuing following:

ASA(config)#aaa authentication ssh console LOCAL

Before issuing the above command, SSH can only be accessed with user "asa" which I cannot find anywhere in the configuration.

Anyway, thanks a lot for your sharing.

Regards,

Lay

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco