Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

isa
New Member

Passing traffic from single external IP to multiple internal IPs

We're transitioning from a Symantec SGS to a Cisco ASA 5505, and I'm running into a lot of trouble replicating our configuration for incoming traffic. We presently have a setup something like this:

(Obviously I'm picking a bunch of arbitrary numbers here.)

1.2.3.4 port a --> 10.1.0.1 port a

1.2.3.4 port b --> 10.1.0.5 port b

1.2.3.4 port x --> 10.1.0.20 port p

1.2.3.4 port y --> 10.1.0.21 port p

1.2.3.4 port z --> 10.1.0.22 port p

1.2.3.4 is the single external IP that we use for passing traffic through, and 10.1.0.x are the internal hosts. x, y, and z are arbitrarily-selected ports in a sequence.

I'm trying to do this via the ASDM. The ASA is running software 9.1(2) and I'm using ASDM 7.1(3). I'm primarily trying to accomplish this using Configuration > Firewall > Public Servers.

What I'm doing is this:

  1. In Configuration > Firewall > Objects > Network Objects/Groups, create objects for the external IP and for all of the internal hosts.
  2. In Configuration > Firewall > Objects > Service Objects/Groups, create TCP objects for ports x y z, as well as a TCP object for port p (which isn't in the default set). The protocols on ports a and b are in the default set, so they don't need to be defined.
  3. In Configuration > Firewall > Public Servers, add a series of public server entries with the external host as the public IP address, the external interface as the Public Interface, the internal interface as the Private Interface, the host in question as the Private IP Address, and in the case of the first two entries, the protocol selected as the private service. In the case of the last three entries, I'm also selecting "Specify public address if different from Private Service. This will enable the static PAT." I then select the service associated with port p as the Private Service and the service associated with ports x, y, or z (respectively) as the Public Service.

...or at least, that's what I'm trying to do. I run into the following problems:

  1. If I don't use "Specify public address if different from private service", the first mapping I make works fine and passes traffic properly. If I do, it doesn't work. (I'm testing it by attempting to connect from outside, and I get a connection in the former scenario but not in the latter scenario. I usually pick tcp/aol as my test "public service", and attempt to connect to the external IP on port 5190, which is the port for tcp/aol.)
  2. The moment I try to make a second mapping, the system rejects it saying "the server address configuration overlaps with an existing translation rule".
  3. Even if it worked, when I select "Specify public address if different from private service," it only shows me the list of built-in service objects, not any that I've created. This isn't really the end of the world -- I could just hijack a series of services we're not using -- but it would be nice if I could actually get the ports my users are already using so that I could do a transparent swap rather than giving them all new connection information.

Any thoughts would be greatly appreciated. I'm assuming that I'm missing something fairly obvious, but I'm not that knowledgable about the Cisco ASA family at this point, so I could probably use some pointers getting this working.

Thank you!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Passing traffic from single external IP to multiple internal IPs

Hi,

There is something really wierd going on with the end of your post. The second section of numbered points has its text completely messed up. The lines of text are on top of eachother.

I don't personally use the ASDM at all to configure ACL and NAT configurations.

I could help out with the CLI format configuration though.

Seems you are attempting to configure Static PAT (Port Forwarding) for multiple internal hosts using the single public IP address that will be on the ASAs external interface.

In general you could use this format for all the NAT configurations

object network

host

nat (inside,outside) static interface service tcp

Naturally the interface names can be different and it could be "udp" instead of "tcp". Also since you might be configuring a lot of these I would suggest coming up with a clear naming policy for your "object network" so they are easy to read and specify the purpose.

Each "object" created could be used on your external interface ACL to allow traffic. Though if you are going to configure a lot of these Static PAT configurations and there are several ports for same host then it might be easier to make different "object" to be used in the ACL or it might get messy.

A basic ACL rule corresponding to the above "nat" configuration could look like

access-list permit tcp any object eq

Again the above ACL might look different in your use. You might want to limit traffic from certain source addreses that would mean multiple lines of ACL.

Hope this helps

- Jouni

Super Bronze

Passing traffic from single external IP to multiple internal IPs

Hi,

Configuration seems to match the description you gave.

The is the name of the ACL you have attached to the external interface of the ASA. You might already have an ACL attached to that interface in which case you would use that ACLs name. If you dont have any ACL attached to "outside" yet then you could name the ACL what you want. You would add all the rules allowing external connections to your hosts to this same ACL as you can only have a single ACL on a given ASA interface (You could attach an ACL to other direction on the same interface but there is rarely need for such)

So if I were to presume that above you were just adding the first Static PAT configuration and creating the ACL for the first time then you would use this command to attach the ACL to your "outside" interface

access-group in interface outside

It attached the ACL with the name you choose to the interface "outside" in the direction "in". In other words it check for traffic coming from behind the "outside" interface towards/inbound to it.

If you like to check if you have any ACLs already attached then you can use the command

show run access-group

This will list the ACL you have attached (if you have any at the moment)

Hope this helps

- Jouni

5 REPLIES
Super Bronze

Passing traffic from single external IP to multiple internal IPs

Hi,

There is something really wierd going on with the end of your post. The second section of numbered points has its text completely messed up. The lines of text are on top of eachother.

I don't personally use the ASDM at all to configure ACL and NAT configurations.

I could help out with the CLI format configuration though.

Seems you are attempting to configure Static PAT (Port Forwarding) for multiple internal hosts using the single public IP address that will be on the ASAs external interface.

In general you could use this format for all the NAT configurations

object network

host

nat (inside,outside) static interface service tcp

Naturally the interface names can be different and it could be "udp" instead of "tcp". Also since you might be configuring a lot of these I would suggest coming up with a clear naming policy for your "object network" so they are easy to read and specify the purpose.

Each "object" created could be used on your external interface ACL to allow traffic. Though if you are going to configure a lot of these Static PAT configurations and there are several ports for same host then it might be easier to make different "object" to be used in the ACL or it might get messy.

A basic ACL rule corresponding to the above "nat" configuration could look like

access-list permit tcp any object eq

Again the above ACL might look different in your use. You might want to limit traffic from certain source addreses that would mean multiple lines of ACL.

Hope this helps

- Jouni

isa
New Member

Passing traffic from single external IP to multiple internal IPs

Thank you! I'm not sure what's going on with the second list, as it's displaying correctly in my browser. That said, it's probably not crucial, as it was just the list of issues I was hitting trying to do this with the ASDM.

Your summary sounds accurate. I have to admit that I've never used the CLI past the initial set up you have to do to get the device up and running. I hope it's okay if I ask you a bunch of questions, given that?

So, suppose I have an internal host called, say, Tiger, at 10.1.2.24 with a service called, say, Foo, running on tcp port 5280, and the ASA's external IP is 1.2.3.4, and I want to use tcp port 2000 on that external IP as the point the user connects to from the outside.

For these values, I would use these commands:

object network tiger-foo-passthrough

host 10.1.2.24

nat (inside,outside) static interface service tcp 5280 2000

access-list permit tcp any object tiger-foo-passthrough eq 5280

Obviously I wasn't sure what here was -- a new acl name that I designate just for this mapping, or an existing acl?

Aside from that last question, is that essentially correct?

Super Bronze

Passing traffic from single external IP to multiple internal IPs

Hi,

Configuration seems to match the description you gave.

The is the name of the ACL you have attached to the external interface of the ASA. You might already have an ACL attached to that interface in which case you would use that ACLs name. If you dont have any ACL attached to "outside" yet then you could name the ACL what you want. You would add all the rules allowing external connections to your hosts to this same ACL as you can only have a single ACL on a given ASA interface (You could attach an ACL to other direction on the same interface but there is rarely need for such)

So if I were to presume that above you were just adding the first Static PAT configuration and creating the ACL for the first time then you would use this command to attach the ACL to your "outside" interface

access-group in interface outside

It attached the ACL with the name you choose to the interface "outside" in the direction "in". In other words it check for traffic coming from behind the "outside" interface towards/inbound to it.

If you like to check if you have any ACLs already attached then you can use the command

show run access-group

This will list the ACL you have attached (if you have any at the moment)

Hope this helps

- Jouni

isa
New Member

Passing traffic from single external IP to multiple internal IPs

Thank you! That's very helpful. At present, I do not have any access lists attached to the outside interface, so this looks like it should be relatively straightforward. I'll see if I can make a go of it.

isa
New Member

Passing traffic from single external IP to multiple internal IPs

Thank you! I *finally* got a chance to try this today, and it worked like a charm!

2478
Views
0
Helpful
5
Replies