03-20-2007 09:41 AM - edited 03-11-2019 02:49 AM
I'm replacing a Symantec (software) firewall with an ASA5510. One of the features of the Symantec is that it allows a single external interface to act as multiple IP addresses, and each of the "virtual" IP addresses to be redirected to different internal hosts.
The multiple external IP addresses are mapped to different (publicly accessible) DNS hostnames, such as "ftp.mydomain.com" and "www.mydomain.com", so it's important that we maintain the ability to support multiple IP addressses on our external interface.
How can I do this with the 5510 ?
Solved! Go to Solution.
03-21-2007 07:28 AM
When you "define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.", x and y designate both the same host:
- x is the outside address of the host
- y is the inside address of the host
So in your access-list, you don't have to add a rule between x and y (since both designate the same host...) but you have to add a rule between outside hosts and the host x:
if we continue with the same example, it would be something like that:
interface Ethernet0/0
nameif INT_OUTSIDE
security-level 0
ip address 1.1.1.14 255.255.255.0
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.10 2.2.2.10 netmask 255.255.255.255 tcp 25
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.11 2.2.2.11 netmask 255.255.255.255
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.12 2.2.2.12 netmask 255.255.255.255
access-list INT_OUTSIDE_access_in extended permit ip any host 1.1.1.10 eq 25
access-group INT_OUTSIDE_access_in in interface INT_OUTSIDE
With this example, every host on the Outside can access your SMTP server which has:
-one outside address: 1.1.1.10
-one inside address: 2.2.2.10
Hope it helps
03-20-2007 10:52 AM
This is possible on ASA.
Lets take an example. Assume you have addresses from 1.1.1.10-1.1.1.14 and you have 3 internal servers with IPs ranging from 2.2.2.10-2.2.2.12.
You want to have 1.1.1.14 as the IP address of ASA outside interface and you want to direct traffic to 1.1.1.10-1.1.1.12 to internal servers. Heres the configuration:
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.14 255.255.255.0
static (inside,outside) 1.1.1.10 2.2.2.10
static (inside,outside) 1.1.1.11 2.2.2.11
static (inside,outside) 1.1.1.12 2.2.2.12
Thus we used IP address command in interface configuration mode to give IP address to the ethernet0 interface of ASA and static commands to divert traffic from rest of the public IP addresses to internal servers.
Hope this helps.
Regards,
Vibhor.
03-20-2007 11:02 AM
Yes, that should work!
One more complication, however: how can I constrain a given tuple (such 2.2.2.10 to 1.1.1.10) to only pass a particular protocol (eg, http)?
BTW: if it's not obvious, I'm a newbie... I just unpacked the 5510 and am trying to determine if I can make it do what we need. The Command Line interface is a bit over-whelming, but ASDM doesn't look like it supports much except basic configuration...
03-20-2007 12:10 PM
Well, I figured-out how to pass a specific protocol, but now I'm stuck on a new problem...
Using the ASDM 5.0 NAT page, I define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.
Then I assume I need to define a "permit" rule, so I go to Security Policy Access Rules and permit outside host x to inside destination host y, specifying tcp/smtp for both.
But when I try to add the access rule, it says that "No NAT rule is configured for host y on the Inside interface from Outside interface". If I then click OK it configures a new static NAT of Inside Y to Outside Y (yes, the same address!) which makes absolutely no sense.
03-21-2007 07:28 AM
When you "define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.", x and y designate both the same host:
- x is the outside address of the host
- y is the inside address of the host
So in your access-list, you don't have to add a rule between x and y (since both designate the same host...) but you have to add a rule between outside hosts and the host x:
if we continue with the same example, it would be something like that:
interface Ethernet0/0
nameif INT_OUTSIDE
security-level 0
ip address 1.1.1.14 255.255.255.0
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.10 2.2.2.10 netmask 255.255.255.255 tcp 25
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.11 2.2.2.11 netmask 255.255.255.255
static (INT_INSIDE,INT_OUTSIDE) 1.1.1.12 2.2.2.12 netmask 255.255.255.255
access-list INT_OUTSIDE_access_in extended permit ip any host 1.1.1.10 eq 25
access-group INT_OUTSIDE_access_in in interface INT_OUTSIDE
With this example, every host on the Outside can access your SMTP server which has:
-one outside address: 1.1.1.10
-one inside address: 2.2.2.10
Hope it helps
03-21-2007 07:39 AM
Thank you!
I read Chapters 13-15 of the 7.0(4) Command Line Config Guide last night (more than once), and it slowly sunk in where I had gone wrong. In particular, the statement on p. 13-3 that says "you need to use addresses [in an access list] that are valid on the network connected to the interface."
And your example confirms my (new) understanding.
Thanks again,
DT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: