01-16-2012 01:40 PM - edited 03-11-2019 03:15 PM
Hi All,
I'm in a sort of "half way house" situation with an ASA running 8.3(1), a range of public IP addresses and a requirement to access many different internal hosts using a series of port forwarding options. I have read (and understand fully) the configs for port forwarding when the outside interface has a single public IP address, and I realise that I can only forward a particular port (say www) to one host internally, and conversely can forward many different ports to many different hosts via the same public IP address.
My confusion come when I have multiple public IP addresses and want to forward (say) www to a particular internal host based on the target public IP address.
For example, my public addresses are 10.1.1.1 and 10.1.1.2, and my inside hosts are 192.168.0.1 and 192.168.0.2 and 192.168.0.3
If www traffic hits 10.1.1.1 I want it to NAT and go to 10.1.1.1 and likewise 10.1.1.2 should NAT to 192.168.0.2
If ftp traffic hits 10.1.1.2 I want it to go to 192.168.0.3
If smtp traffic hits 10.1.1.2 I want it to go to 192.168.0.3
So, the relevant bit sof the config I am trying are like this:-
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252 (*Note is this correct to start with?)
object network pub1
host 10.1.1.1
object network pub2
host 10.1.1.2
object network serv1
host 192.168.0.1
object network serv2
host 192.168.0.2
object network serv3-ftp
host 192.168.0.3
object network serv3-smtp
host 192.168.0.3
object network serv1
nat (inside,outside) static pub1 service tcp www www
object network serv2
nat (inside,outside) static pub2 service tcp www www
object network serv3-ftp
nat (inside,outside) static pub2 service tcp ftp ftp
object network serv3-smtp
nat (inside,outside) static pub2 service tcp smtp smtp
access-list outside_access_in extended permit tcp any object serv1 eq www
access-list outside_access_in extended permit tcp any object serv2 eq www
access-group outside_access_in in interface outside
This should work, right? Or am I missing something fundamental?
I am perfectly happy with one-to-one static NAT, but I've never tried PAT like this.
The other thing is, it seems that I can get it to work sometimes if add an ACL to the inside interface, but I don't think I should need one?
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
Anybody else done this successfully, got any examples?
Unfortunately it's a bit diffult to test as the unit is remote to me and I have to get oneof the users to do som ereconfiguration on the network out of hours every time I need to try new things.
Any pointers greatly accepted.
Rgds
Simon
01-16-2012 09:42 PM
Hi,
object network serv1
nat (inside,outside) static pub1 service tcp www www
object network serv2
nat (inside,outside) static pub2 service tcp www www
object network serv3-ftp
nat (inside,outside) static pub2 service tcp ftp ftp
object network serv3-smtp
nat (inside,outside) static pub2 service tcp smtp smtp
access-list outside_access_in extended permit tcp any object serv1 eq www
access-list outside_access_in extended permit tcp any object serv2 eq www
access-group outside_access_in in interface outside
This configuration will do just need to add more statement as per PAT configured.
However /30 on outside interface will give you one IP addess only. Either you should have bigger range to get more IP or static route pointing to outside interface for new range.
Once traffic is allowed from lower security level to higher return traffic will be automatically allowed no need to worry about inside acl.
Thanks
Ajay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide