Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Help with Address translation/Port Forwarding

I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ.  In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ.  My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.

Any help would be appreciated.  I posted two graphics from the mitel border gateway config guide.

thanks!

3 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Help with Address translation/Port Forwarding

Sorry try Policy Static PAT.

access-list MBG1 permit tcp host IP2 eq 443 any

static (DMZ,outside) tcp IP3 443 access-list MBG1

access-list MBG2 permit tcp host IP2 eq 4443 any

static (DMZ,outside) tcp IP4 443 access-list MBG2

New Member

Help with Address translation/Port Forwarding

Hi-

I briefly looked at the diagram you uploaded, and assuming your main goal here is to use a single IP to PAT to 2 different destination IP's please use the following. After you modify and drop the script, run the 'sh xlate' command and this will show the translation slots created. Let me know how it works out, thanks.

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host 1.1.1.1 eq 443

access-list outside permit tcp any host 1.1.1.1 eq 4443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.20 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (inside,outside) tcp interface 443 access-list pat-acl-1a

static (inside,outside) tcp interface 4443 access-list pat-acl-1b

!

!---end

New Member

Help with Address translation/Port Forwarding

Hi-

Sorry, only briefly looked at the diagram. I'm not real clear on your requirements, but the see the revised below. Thanks

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host %public IP 1% eq 443

access-list outside permit tcp any host %public IP 2% eq 443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.10 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (dmz,outside) tcp %public IP 1% 443 access-list pat-acl-1a

static (dmz,outside) tcp %public IP 2% 4443 access-list pat-acl-1b

!

!---end

10 REPLIES
Green

Help with Address translation/Port Forwarding

Looks like this is what you would need to set up the translations.

webtraffic

static (DMZ,outside) IP3 IP2 netmask 255.255.255.255

collabtraffic

static (DMZ,outside) tcp IP4 443 IP2 4443 netmask 255.255.255.255

New Member

Help with Address translation/Port Forwarding

I tried that and I get an error about a conflict with existing static.

Green

Help with Address translation/Port Forwarding

Sorry try Policy Static PAT.

access-list MBG1 permit tcp host IP2 eq 443 any

static (DMZ,outside) tcp IP3 443 access-list MBG1

access-list MBG2 permit tcp host IP2 eq 4443 any

static (DMZ,outside) tcp IP4 443 access-list MBG2

New Member

Help with Address translation/Port Forwarding

Im a bit confused by this, i create two access list one for each outside facing address, and allow 443 access to each of them, i think create two static nat entries that nat the outside ip's to the access-lists?

Green

Help with Address translation/Port Forwarding

New Member

Help with Address translation/Port Forwarding

Where would the ACL's get applied currently i have MBG1 and MBG to allowing 443 access on the outside interface, would your suggestion then put the ACLs on the DMZ interface?

Green

Help with Address translation/Port Forwarding

Your existing acl's on the outside interface would not change. Don't confuse the acl's as part of the policy pat with acl's applied to your outside interface, they are totally separate.

The policy static pat statements (static and acl together) are saying that any traffic arriving at the outside interface destined for IP3 on port 443 should be forwarded to IP2 on port 443.

The other is saying that any traffic arriving at the outside interface destined for IP4 on port 443 should be forwarded to IP2 on port 4443.

New Member

Help with Address translation/Port Forwarding

Hi-

I briefly looked at the diagram you uploaded, and assuming your main goal here is to use a single IP to PAT to 2 different destination IP's please use the following. After you modify and drop the script, run the 'sh xlate' command and this will show the translation slots created. Let me know how it works out, thanks.

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host 1.1.1.1 eq 443

access-list outside permit tcp any host 1.1.1.1 eq 4443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.20 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (inside,outside) tcp interface 443 access-list pat-acl-1a

static (inside,outside) tcp interface 4443 access-list pat-acl-1b

!

!---end

New Member

Help with Address translation/Port Forwarding

That's close but I think its backwards, i want two external IP's with the same port 443 open to the outside, to pat to one dmz ip, one for 443 and one for 4443.

New Member

Help with Address translation/Port Forwarding

Hi-

Sorry, only briefly looked at the diagram. I'm not real clear on your requirements, but the see the revised below. Thanks

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host %public IP 1% eq 443

access-list outside permit tcp any host %public IP 2% eq 443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.10 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (dmz,outside) tcp %public IP 1% 443 access-list pat-acl-1a

static (dmz,outside) tcp %public IP 2% 4443 access-list pat-acl-1b

!

!---end

1104
Views
0
Helpful
10
Replies
CreatePlease to create content