we have a 5520 ASA and we need use NAT to a DMZ server. Users from outside should access to http port and DMZ server listen in 8080. For Corporative users (LAN, Remote branch office and VPN Remote-USers) server listen in port 80 (they attack to public address port 80 too).
We think use Static Policy NAT Rule in order to translate <internal_server_Addres>:8080 port to <public_server_Addres>:80 for destination "any" and other rule for <internal_server_Addres>:80 port to <public_server_Addres>:80 to the IP list of corporative users (LAN, Remote users...)
It doesn´t work configuring DMZ51_nat_static_1 with deny rules for corporative users ("ERROR: access-list has deny statements" from CLI) nor create a static nat rule for specific destionation and other different rule for "any" destination (overlapping rule warning).
It is the actual configuracion (all traffic <internal_server_Addres>:8080 port to <public_server_Addres>:80 without exceptions)
access-list DMZ51_nat_static_1 extended permit tcp host <PRIVATE IP ADDRESS> eq 8080 any
static (DMZ51,outside) tcp <PUBLIC IP ADDRESS> www access-list DMZ51_nat_static_1
Any idea how can I that we need?
What you saw is expected.
1. You cannot add deny lines in policy ACL.
2. You cannot add ports and protocols in a nat exemption ACL.
Now, I can understand the outside users accessing the DMZ server using the public address. Do the LAN, VPN users and Remote branch also address the DMZ server with the public address? If so, this traffic will be seen on the outside of the ASA? How come?
Would you draw a little toplogy for us? Where are the Remote Branches?
The LAN users should access the DMZ servers using their inside address. So just this static
static (D,O) tcp p.p.p.p 80 d.d.d.d 8080
where p.p.p.p - is the public address
d.d.d.d - is the dmz real address
Hi, thanks for your answer.
Kusankar, everybody access to the server with the Public IP Address, the differenc is that Users from Internet access to port 80 and it is redirect to private-IP port 8080 and the rest users (remote users, remote branch and LAN) access to public IP address port 80 and we only need IP translatation to real IP in the DMZ server withouth port translation. When we don´t use port translation everything work fine. Remote users access to the DMZ accross outside (Internet).
The topology is as you say:
inside LAN------(in)ASA(out)----Internet (remote users, branch office, internet users)
(inside users) |
I am trying use policy nat rule in order to say that port redirection with NAT is use when the destination of the packet is for "any" IP in outside interface and only NAT(withouth port redirection) is used for known ip (vpn remote users and branch offices) but I don´t know how do it. When I configure it from ASDM, it say that there is an overlapping rule (one policy nat rule is with destination "any" and the other one if for known ip using the same external interface)
If you want specific user groups to access specific ports, you could use policy NAT.
access-list Corp permit tcp
access-list Gen permit tcp
static (DMZ,outside) tcp
static (DMZ,outside) tcp
Hope this helps.
Message was edited by: Nagaraja Thanthry
Hi, thank you but I cannot configure it from CLI. I receive the following error:"ERROR: mapped-address conflict with existing static"
I am using version 8.0(4). Any idea?
The error you are saying is expected because we are using the same public IP and port configuration in both the statics (P.P.P.P:80).
I am still a bit confused with the requirement. The web server that you have assuming the public IP is going to be P.P.P.P, you want remote users, corporate network, etc to access it using regular url "http://P.P.P.P" but for internet users, they should be accessing it using the url "http://P.P.P.P:8080"
Please let me know if the above is your requirement or if i am wrong in my understanding.
all users access to (<80>). For general users (unknow IPs) the NAT should do a PAT and translate:80>
<80> to <8080>8080>80>
for known ip ranges (inside, remote branch..) the ASA only shoul translate the IP keeping the same port
<80> to <80>80>80>
I don´t understand why using policy nat rule i cannot do it. I understood policy nat rules were employed when you need different NAT behaviour based on the destination of the packet and It is that we are doing in this case... For some known IP only Static NAT and for the rest of IP (Any) NAT+PAT with the same public address in both cases and the same interfaces (DMZ-outside)
Thank you for your help and time.
Unfortunately this will not work.
You need unique port numbers.
You cannot do
80 to 80
80 to 8080
You probably need to ask one batch of users to use http://x.x.x.x:8080 when they try to access.
The mains purpose of policy NAT is to translate a set of inside users to different public IPs and/or ports when accessing different locations. Now in our case, the translated IP:port combination is going to be the same while the inside IP:port combination is going to be different. I am afraid the ASA will not accept 2 statics with the same translated IP:port combination.
Ok, I understand it is not possible using policy nat rule with the same public-ip:port. Have somebody any other idea to do that we need: Using one public IP and port, it will be translate to different internal port depending the IP address who do the request?