Solved: Re: Static translation with Port redirection

kev_jacob · ‎12-06-2005

Hi,

I have a scenario in which two public ip's (One with HTTP requests & other with SMTP/SSL request for OWA) need to be translated onto a single inside ISA server ip in the DMZ. Please suggest which is the best practice. I know that we cannot do a one-one NAT because two ip's cannot translate into one. Is using the static translation with Port redirection the best practice to access the ISA server for OWA? Is it the best security that can be applied at this moment? I will redirect only requests for port 80,8080,25,443,110. I will also create access-list to permit only these ports.

I need to recommend this to a customer. Please advice.

Thanks

Kevin

gfullage · ‎12-06-2005

Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.

You'll want something like the following:

static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80

static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080

static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25

static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110

static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443

access-list inbound permit tcp any host x.x.x.1 eq 80

access-list inbound permit tcp any host x.x.x.1 eq 8080

access-list inbound permit tcp any host x.x.x.2 eq 25

access-list inbound permit tcp any host x.x.x.2 eq 110

access-list inbound permit tcp any host x.x.x.2 eq 443

access-group inbound in interface outside

where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.

View solution in original post

gfullage · ‎12-06-2005

Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.

You'll want something like the following:

static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80

static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080

static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25

static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110

static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443

access-list inbound permit tcp any host x.x.x.1 eq 80

access-list inbound permit tcp any host x.x.x.1 eq 8080

access-list inbound permit tcp any host x.x.x.2 eq 25

access-list inbound permit tcp any host x.x.x.2 eq 110

access-list inbound permit tcp any host x.x.x.2 eq 443

access-group inbound in interface outside

where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.

kev_jacob · ‎12-06-2005

Thanks a lot. This was exactly what I had in mind. You have confirmed it. Thank you very much

Regards

Kevin

kev_jacob · ‎12-22-2005

Actually when I really tried this out today it didn't work!

For example:

This is the current config:

static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)

static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)

Requirement is to pass x.x.x.2 also thru ISA(i.e a.a.a.1)

I did the following:

static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80

static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080

static (intf3,intf2) tcp x.x.x.2 25 a.a.a.1 25

static (intf3,intf2) tcp x.x.x.2 110 a.a.a.1 110

static (intf3,intf2) tcp x.x.x.2 443 a.a.a.1 443

access-list acl_intf2 permit tcp any host x.x.x.1 eq 80

access-list acl_intf2 permit tcp any host x.x.x.1 eq 8080

access-list acl_intf2 permit tcp any host x.x.x.2 eq 25

access-list acl_intf2 permit tcp any host x.x.x.2 eq 110

access-list acl_intf2 permit tcp any host x.x.x.2 eq 443

access-group acl_intf2 in interface intf2

Finally I did Clear Xlate

My Internet & mails stopped working. When I reverted it back it was Okay.

I continued the test by doing only the following:

static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80

static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080

static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)

Now mails were working but Internet was still not working.

I tried Vice versa like the following:

static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)

static (intf3,intf2) tcp x.x.x.2 25 b.b.b.1 25

static (intf3,intf2) tcp x.x.x.2 110 b.b.b.1 110

static (intf3,intf2) tcp x.x.x.2 443 b.b.b.1 443

Now, Internet was fine but Mails were not working.

Any solution

a.a.a.1=ISA server

b.b.b.1=Front end exchange

x.x.x.1= ISA virtual ip

x.x.x.2= Exchange Virtual ip

All requests to x.x.x.1 & x.x.x.2 are from an MPLS cloud. An ISA server & Exchange server at the MPLS server location forward all http & smtp traffic to x.x.x.1 & x.x.x.2

jackko · ‎12-06-2005

no drama as long as the two public ips are used for different port.

e.g. 1.1.1.1 for http; 1.1.1.2 for smtp; and the isa server has private ip 192.168.1.1.

static (dmz,outside) tcp 1.1.1.1 80 192.168.1.1 80 netmask 255.255.255.255

static (dmz,outside) tcp 1.1.1.2 25 192.168.1.1 25 netmask 255.255.255.255

access-list inbound permit tcp any host 1.1.1.1 eq 80

access-list inbound permit tcp any host 1.1.1.2 eq 25

access-group inbound in interface outside

clear xlate