Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can you do DMZ and NAT/PAT with a single public IP address on ASA5520?

Hi,

Can you do DMZ and NAT/PAT with a single public IP address on ASA5520? I have uplink in PPPoE and has only one public ip address. Would like to put anti-spam(eg. A.B.C.44) in the DMZ and there are a number of servers(eg. X.Y.Z.1, X.Y.Z.2 and X.Y.Z.3) that I want to NAT/PAT. Could someone please suggest how it should be implemented?

Two site-to-site IPSec tunnels have also been configured on this ASA.

Thanks to everyone in advance for your knowledge sharing.

regards,

Lay

Everyone's tags (4)
5 REPLIES

Re: Can you do DMZ and NAT/PAT with a single public IP address o

Lay,

You can do it. You need to configure what is called static NAT port translations.

For example lets say your public IP is 69.222.73.50

static (dmz,outside) tcp 69.222.73.50 25 A.B.C.44 25 netmask 255.255.255.255

! This static NAT port translation allows SMTP from the outside to your anti-spam server in the DMZ.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 443 X.Y.Z.2 443 netmask 255.255.255.255

! Here we create a couple of static NAT port translations to allow HTTP to one server and HTTPS to another.

There is always a gotcha. You cannot reuse multiple ports in use. For example it is forbidden to have these two statements together.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.2 80 netmask 255.255.255.255

! We are using port 80 on the outside and translating to two internal servers. This is not allowed. You can use one of them but not both.

There is a "work around". You can translate one port to another.

static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255

static (inside,outside) tcp 69.222.73.50 8080 X.Y.Z.2 80 netmask 255.255.255.255

! In your web browser you would have to have http://69.222.73.50:8080

Hope it helps

New Member

Re: Can you do DMZ and NAT/PAT with a single public IP address o

Really appreciate for your help, Collin. Would I be able to continue my ADSM management (https) from "inside" interface? Last time, i was no longer able to do that until I undo that nat statement for DMZ. My statement might be not correct in some how. Will do and let you know.

Regards.

Lay

Re: Can you do DMZ and NAT/PAT with a single public IP address o

You should not lose your ASDM access, especially on the DMZ nat.

New Member

Re: Can you do DMZ and NAT/PAT with a single public IP address o

Hi Collin,

Thanks again for your time. I have managed put anti-spam server in DMZ and web server / mail server in inside network. They work correctly with NAT and PAT so is VPN. But I am having access denied for ssh connection. I can't ssh into the box from inside and dmz although I have  following:

ASA Version 8.3(1)

ASA(config)#crypto key generate rsa modulus 1024
ASA(config)#wr

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 dmz
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5

I was prompted to enter username and password but keep getting access denied. Could you please advise me with this ssh issue?

Regards,

Lay

New Member

Re: Can you do DMZ and NAT/PAT with a single public IP address o

Hi Collin

Please be informed that I have got SSH access after issuing following:

ASA(config)#aaa authentication ssh console LOCAL

Before issuing the above command, SSH can only be accessed with user "asa" which I cannot find anywhere in the configuration.

Anyway, thanks a lot for your sharing.

Regards,

Lay

1105
Views
0
Helpful
5
Replies
CreatePlease to create content