Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
4
Replies

Cisco ASA Static PAT / Port forwarding / Port Redirection Problem

Jasonch518_2
Level 1
Level 1

‎07-23-2008 10:02 AM

I currently have a situation, where I want to configure a static translation for a single outside IP going to multiple internal IP's, on a different tcp port for each. Normally I would be able to do this, I have done it in the past, but this situation has 1 difference, where the port that I am forwarding to on the internal IP side is different, I have a posted an example below. It is not working the way I would think, when I connect to the https page, of a DRAC card on a dell server, I get the security warnings and all, and accept, but when it trys to pull up the page, it times out. Is this something to do with my configuration on the ASA, or maybe something with the DRAC card itself, has anyone experienced this before? If i do not change the port, and use 443 on the outside and inside, it works fine, but I dont want the outside to see 443, but 5001, 5002 etc etc, going to different internal IP's, on 443.

static (DRAC,outside) tcp 216.x.x.x 5001 10.251.0.1 https netmask 255.255.255.255

Thanks for any help you can provide.

Jason

Labels:
0 Helpful
4 Replies 4

Jasonch518_2
Level 1
Level 1

‎07-23-2008 10:04 AM

static (DRAC,outside) tcp 216.x.x.x 5001 10.251.0.1 https netmask 255.255.255.255

static (DRAC,outside) tcp 216.x.x.x 5002 10.251.0.2 https netmask 255.255.255.255

static (DRAC,outside) tcp 216.x.x.x 5003 10.251.0.3 https netmask 255.255.255.255

The above do not work, but I would like them to.

static (DRAC,outside) tcp 216.x.x.x https 10.251.0.1 https netmask 255.255.255.255

This method works, but it does not meet my security needs, yes I do have the option of doing a different outside IP for each DRAC card, and then doing the 443 to 443, but it is again not meeting my security needs, and i do not want to use that many different outside IP addresses.

0 Helpful

Jasonch518_2
Level 1
Level 1
In response to Jasonch518_2

‎07-30-2008 05:40 PM

Anyone have any input on this, still have not been able to get it working.

0 Helpful

joe19366
Level 1
Level 1
In response to Jasonch518_2

‎07-30-2008 05:58 PM

hey dude

try this

show ip

(find the asa's interface name)

(use the ASA interface name when creating the port forward nat)

i.e.

your syntax is wrong

static (outside,inside) 5001 443

remember, its

static (start interface, ending interface)

pre-nat ip, post-nat ip

-Joe

0 Helpful

cisco24x7
Level 6
Level 6
In response to joe19366

‎07-30-2008 06:51 PM

I had the same configuration as you and

it works for me:

static (DRAC,outside) tcp interface 5001 192.168.1.1 https netmask 255.255.255.255

static (DRAC,outside) tcp interface 5002 192.168.1.2 https netmask 255.255.255.255

static (DRAC,outside) tcp interface 5003 192.168.1.3 https netmask 255.255.255.255

The only exception is that I have a Redhat

Linux Apache Server serving https and I can

see the page without any issues.

Then again, I am using Pix version 7.0(7)

which is a stable version. You may want to

give version 7.0(7) a try.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents