Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA NAT setup question

I am converting from a symantec enterprise firewall to a cisco asa 5510. Currently I have it setup so that any traffic designated for my external firewall port using port 80 gets directed to a web server and anything using port 25 gets directed to my smtp mail server. How do I set this up in the ASA? Do I have to use 2 external IP's each natted to the proper IP or can I share one like I am currently doing?

I have a few extra public IP's. I added one of them as a host and tried to configure it to nat to my internal web server and created a rule allowing port 80 traffic from any external entity to this web server. Every time I test it I get a tcp syn timeout.

I am a beginner with the cisco so I assume its something I am doing wrong. Anyone have any advice?

2 REPLIES
New Member

Re: ASA NAT setup question

I am not sure how it can be done in ASA but should be similar to how it is done in FWSM/PIX. What you need is Static PAT where you map the same global IP to different ports on indivudual app servers internally.

Following example would give you better idea about things

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/nat.htm#wp1159124

Hope this helps

New Member

Re: ASA NAT setup question

Thanks for the link. I think I have added the PAT lines I need but now I am getting ACL errors. I created a rule allowing all TCP port 80 traffic from the outside to my internal web server at 192.168.1.10. But I keep getting a TCP access denied by ACL from 192.168.1.49/1787 (my IP) to inside 69.220.58.91/80 (the IP of my external port on the firewall. Here are my access rules:

access-list outside_access_in extended permit tcp any host 69.220.58.91 eq www

access-list outside_access_out extended permit tcp host 69.220.58.91 any eq www

Again this is how it is setup on my symantec firewall so I dont understand why it doesnt work on the cisco.

197
Views
0
Helpful
2
Replies