Solved: Static Pat, Port forwding

Azubuike Obiora · ‎01-29-2014

Hello Experts,

I have a bit of a challenge that I would need your input on. First off I was just helping out a friend with this configuration and then he put more that I can chew write in my mouth. So I would need help to see how best i can get this resolved with Cisco ASA.

Attached is a drawing of two different scenarios.

The first scenario works perfectly as I have static nat going for both servers using two different IP address. Both servers on the dmz could be reach over the internet using different external IP address and ports allowed on the servers. Sections are built with twice see below the config.

object network DMZ_MAILEDGE_SERVER1

host 172.16.1.2

!

object network DMZ_MAILEDGE_SERVER2

host 172.16.1.3

!

object network DMZ_EGDE1

host 12.12.13.2

!

object network DMZ_EGDE2

host 12.12.13.3

!

nat (dmz,outside) source static DMZ_MAILEDGE_SERVER1 DMZ_EGDE1 description *** STATIC NAT FOR MAIL SERVER 1 ***

!

nat (dmz,outside) source static DMZ_MAILEDGE_SERVER2 DMZ_EGDE2 description *** STATIC NAT FOR MAIL SERVER 2 ***

Below is the access-list

access-list outside_access_in line 6 extended permit udp any object DMZ_MAILEDGE_SERVER1 eq domain (hitcnt=0) 0x8537fcbb

access-list outside_access_in line 6 extended permit udp any host 172.16.1.2 eq domain (hitcnt=21) 0x8537fcbb

access-list outside_access_in line 7 extended permit tcp any object DMZ_MAILEDGE_SERVER1 eq smtp (hitcnt=0) 0xef52a116

access-list outside_access_in line 7 extended permit tcp any host 172.16.1.2 eq smtp (hitcnt=6) 0xef52a116

access-list outside_access_in line 8 extended deny ip any object DMZ_MAILEDGE_SERVER1 (hitcnt=0) 0x0032faa5

access-list outside_access_in line 8 extended deny ip any host 172.16.1.2 (hitcnt=1983) 0x0032faa5

access-list outside_access_in line 9 extended permit tcp any object DMZ_MAILEDGE_SERVER2 eq https (hitcnt=0) 0x67a318d7

access-list outside_access_in line 9 extended permit tcp any host 172.16.1.3 eq https (hitcnt=494) 0x67a318d7

access-list outside_access_in line 10 extended deny ip any object DMZ_MAILEDGE_SERVER2 (hitcnt=0) 0x7c202607

access-list outside_access_in line 10 extended deny ip any host 172.16.1.3 (hitcnt=1748) 0x7c202607.

As you can see this works like a champ no issues at all!

But now I am been asked to implement scenario 2 where by the nat would be on one public ip only and ports opened for both inside servers.

Now I am not sure Cisco ASA has such dexterity of allowing me to static nat on a public IP for two servers and opening ports for them. Like I said, I am not sure but willing to get corrected of my thoughts.

I would appreciate any suggestions from anyone that could give me a clue of how to get this resolved.

Thanks

Tedd

vishaw jasrotia · ‎01-29-2014

Hello

Please go through the following link ;

https://supportforums.cisco.com/docs/DOC-31116

hope this helps you

Thanks

View solution in original post

Julio Carvajal · ‎01-29-2014

Hello Teddy,

Hopefully I understood it correctly but it would be

object network Inside-Server-1

host 172.16.1.2

object network Inside-Server-2

host 172.16.1.3

object network Outside1

host 12.12.13.2

object service SMTP

service tcp source eq 25

object service HTTPS

service tcp source eq 443

nat (inside,outside) 1 source static Inside-Server-1 Outside1 service SMTP SMTP

nat (inside,outside) 1 source static Inside-Server-2 Outside1 service HTTPS HTTPS

access-list outside_access_in tcp any host 172.16.1.3 eq 443

access-list outside_access_in permit tcp any host 172.16.1.2 eq 25

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

vishaw jasrotia · ‎01-30-2014

Always welcome...

View solution in original post

vishaw jasrotia · ‎01-29-2014

Hello

Please go through the following link ;

https://supportforums.cisco.com/docs/DOC-31116

hope this helps you

Thanks

Julio Carvajal · ‎01-29-2014

Hello Teddy,

Hopefully I understood it correctly but it would be

object network Inside-Server-1

host 172.16.1.2

object network Inside-Server-2

host 172.16.1.3

object network Outside1

host 12.12.13.2

object service SMTP

service tcp source eq 25

object service HTTPS

service tcp source eq 443

nat (inside,outside) 1 source static Inside-Server-1 Outside1 service SMTP SMTP

nat (inside,outside) 1 source static Inside-Server-2 Outside1 service HTTPS HTTPS

access-list outside_access_in tcp any host 172.16.1.3 eq 443

access-list outside_access_in permit tcp any host 172.16.1.2 eq 25

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Azubuike Obiora · ‎01-30-2014

Hi Guy!

@ Julio Thanks a lot! You are absolutely correct about it! It works like a champ!!!

@ Vishaw thanks for sharing the document! Much appreciated!

vishaw jasrotia · ‎01-30-2014

Always welcome...