01-29-2014 02:54 PM - edited 03-11-2019 08:38 PM
Hello Experts,
I have a bit of a challenge that I would need your input on. First off I was just helping out a friend with this configuration and then he put more that I can chew write in my mouth. So I would need help to see how best i can get this resolved with Cisco ASA.
Attached is a drawing of two different scenarios.
The first scenario works perfectly as I have static nat going for both servers using two different IP address. Both servers on the dmz could be reach over the internet using different external IP address and ports allowed on the servers. Sections are built with twice see below the config.
object network DMZ_MAILEDGE_SERVER1
host 172.16.1.2
!
object network DMZ_MAILEDGE_SERVER2
host 172.16.1.3
!
object network DMZ_EGDE1
host 12.12.13.2
!
object network DMZ_EGDE2
host 12.12.13.3
!
nat (dmz,outside) source static DMZ_MAILEDGE_SERVER1 DMZ_EGDE1 description *** STATIC NAT FOR MAIL SERVER 1 ***
!
nat (dmz,outside) source static DMZ_MAILEDGE_SERVER2 DMZ_EGDE2 description *** STATIC NAT FOR MAIL SERVER 2 ***
Below is the access-list
access-list outside_access_in line 6 extended permit udp any object DMZ_MAILEDGE_SERVER1 eq domain (hitcnt=0) 0x8537fcbb
access-list outside_access_in line 6 extended permit udp any host 172.16.1.2 eq domain (hitcnt=21) 0x8537fcbb
access-list outside_access_in line 7 extended permit tcp any object DMZ_MAILEDGE_SERVER1 eq smtp (hitcnt=0) 0xef52a116
access-list outside_access_in line 7 extended permit tcp any host 172.16.1.2 eq smtp (hitcnt=6) 0xef52a116
access-list outside_access_in line 8 extended deny ip any object DMZ_MAILEDGE_SERVER1 (hitcnt=0) 0x0032faa5
access-list outside_access_in line 8 extended deny ip any host 172.16.1.2 (hitcnt=1983) 0x0032faa5
access-list outside_access_in line 9 extended permit tcp any object DMZ_MAILEDGE_SERVER2 eq https (hitcnt=0) 0x67a318d7
access-list outside_access_in line 9 extended permit tcp any host 172.16.1.3 eq https (hitcnt=494) 0x67a318d7
access-list outside_access_in line 10 extended deny ip any object DMZ_MAILEDGE_SERVER2 (hitcnt=0) 0x7c202607
access-list outside_access_in line 10 extended deny ip any host 172.16.1.3 (hitcnt=1748) 0x7c202607.
As you can see this works like a champ no issues at all!
But now I am been asked to implement scenario 2 where by the nat would be on one public ip only and ports opened for both inside servers.
Now I am not sure Cisco ASA has such dexterity of allowing me to static nat on a public IP for two servers and opening ports for them. Like I said, I am not sure but willing to get corrected of my thoughts.
I would appreciate any suggestions from anyone that could give me a clue of how to get this resolved.
Thanks
Tedd
Solved! Go to Solution.
01-29-2014 08:28 PM
Hello
Please go through the following link ;
https://supportforums.cisco.com/docs/DOC-31116
hope this helps you
Thanks
01-29-2014 10:21 PM
Hello Teddy,
Hopefully I understood it correctly but it would be
object network Inside-Server-1
host 172.16.1.2
object network Inside-Server-2
host 172.16.1.3
object network Outside1
host 12.12.13.2
object service SMTP
service tcp source eq 25
object service HTTPS
service tcp source eq 443
nat (inside,outside) 1 source static Inside-Server-1 Outside1 service SMTP SMTP
nat (inside,outside) 1 source static Inside-Server-2 Outside1 service HTTPS HTTPS
access-list outside_access_in tcp any host 172.16.1.3 eq 443
access-list outside_access_in permit tcp any host 172.16.1.2 eq 25
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-30-2014 07:50 PM
Always welcome...
01-29-2014 08:28 PM
Hello
Please go through the following link ;
https://supportforums.cisco.com/docs/DOC-31116
hope this helps you
Thanks
01-29-2014 10:21 PM
Hello Teddy,
Hopefully I understood it correctly but it would be
object network Inside-Server-1
host 172.16.1.2
object network Inside-Server-2
host 172.16.1.3
object network Outside1
host 12.12.13.2
object service SMTP
service tcp source eq 25
object service HTTPS
service tcp source eq 443
nat (inside,outside) 1 source static Inside-Server-1 Outside1 service SMTP SMTP
nat (inside,outside) 1 source static Inside-Server-2 Outside1 service HTTPS HTTPS
access-list outside_access_in tcp any host 172.16.1.3 eq 443
access-list outside_access_in permit tcp any host 172.16.1.2 eq 25
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-30-2014 02:05 AM
Hi Guy!
@ Julio Thanks a lot! You are absolutely correct about it! It works like a champ!!!
@ Vishaw thanks for sharing the document! Much appreciated!
01-30-2014 07:50 PM
Always welcome...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: