https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395559#M270630 <P>Hello Experts, </P><P></P><P>I have a bit of a challenge that I would need your input on. First off I was just helping out a friend with this configuration and then he put more that I can chew write in my mouth. So I would need help to see how best i can get this resolved with Cisco ASA. </P><P></P><P></P><P></P><P>Attached is a drawing of two different scenarios. </P><P></P><P>The first scenario works perfectly as I have static nat going for both servers using two different IP address. Both servers on the dmz could be reach over the internet using different external IP address and ports allowed on the servers. Sections are built with twice see below the config.</P><P></P><P></P><P>object network DMZ_MAILEDGE_SERVER1</P><P>host 172.16.1.2</P><P>!</P><P>object network DMZ_MAILEDGE_SERVER2</P><P>host 172.16.1.3</P><P>!</P><P>object network DMZ_EGDE1</P><P>host <SPAN style="font-size: 10pt;">12.12.13.2 </SPAN></P><P>!</P><P>object network DMZ_EGDE2</P><P>host <SPAN style="font-size: 10pt;">12.12.13.3 </SPAN></P><P>!</P><P>nat (dmz,outside) source static DMZ_MAILEDGE_SERVER1&nbsp; DMZ_EGDE1 description *** STATIC NAT FOR MAIL SERVER 1 ***</P><P>!</P><P>nat (dmz,outside) source static DMZ_MAILEDGE_SERVER2&nbsp; DMZ_EGDE2 description *** STATIC NAT FOR MAIL SERVER 2 ***</P><P></P><P>Below is the access-list </P><P></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 6 extended permit udp any object DMZ_MAILEDGE_SERVER1 eq domain (hitcnt=0) 0x8537fcbb</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 6 extended permit udp any host 172.16.1.2 eq domain (hitcnt=21) 0x8537fcbb</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 7 extended permit tcp any object DMZ_MAILEDGE_SERVER1 eq smtp (hitcnt=0) 0xef52a116</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 7 extended permit tcp any host 172.16.1.2 eq smtp (hitcnt=6) 0xef52a116</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 8 extended deny ip any object DMZ_MAILEDGE_SERVER1 (hitcnt=0) 0x0032faa5</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 8 extended deny ip any host 172.16.1.2 (hitcnt=1983) 0x0032faa5</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 9 extended permit tcp any object DMZ_MAILEDGE_SERVER2 eq https (hitcnt=0) 0x67a318d7</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 9 extended permit tcp any host 172.16.1.3 eq https (hitcnt=494) 0x67a318d7</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 10 extended deny ip any object DMZ_MAILEDGE_SERVER2 (hitcnt=0) 0x7c202607</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 10 extended deny ip any host 172.16.1.3 (hitcnt=1748) 0x7c202607.</SPAN></P><P></P><P>As you can see this works like a champ no issues at all! </P><P></P><P></P><P>But now I am been asked to implement scenario 2 where by the nat would be on one public ip only and ports opened for both inside servers.</P><P></P><P>Now I am not sure Cisco ASA has such dexterity of allowing me to static nat on a public IP for two servers and opening ports for them. Like I said, I am not sure but willing to get corrected of my thoughts. </P><P></P><P><SPAN style="font-size: 10pt;">I would appreciate any suggestions from anyone that could give me a clue of how to get this resolved.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks</SPAN></P><P><SPAN style="font-size: 10pt;">Tedd </SPAN></P> Tue, 12 Mar 2019 03:38:05 GMT Azubuike Obiora 2019-03-12T03:38:05Z https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395559#M270630 <P>Hello Experts, </P><P></P><P>I have a bit of a challenge that I would need your input on. First off I was just helping out a friend with this configuration and then he put more that I can chew write in my mouth. So I would need help to see how best i can get this resolved with Cisco ASA. </P><P></P><P></P><P></P><P>Attached is a drawing of two different scenarios. </P><P></P><P>The first scenario works perfectly as I have static nat going for both servers using two different IP address. Both servers on the dmz could be reach over the internet using different external IP address and ports allowed on the servers. Sections are built with twice see below the config.</P><P></P><P></P><P>object network DMZ_MAILEDGE_SERVER1</P><P>host 172.16.1.2</P><P>!</P><P>object network DMZ_MAILEDGE_SERVER2</P><P>host 172.16.1.3</P><P>!</P><P>object network DMZ_EGDE1</P><P>host <SPAN style="font-size: 10pt;">12.12.13.2 </SPAN></P><P>!</P><P>object network DMZ_EGDE2</P><P>host <SPAN style="font-size: 10pt;">12.12.13.3 </SPAN></P><P>!</P><P>nat (dmz,outside) source static DMZ_MAILEDGE_SERVER1&nbsp; DMZ_EGDE1 description *** STATIC NAT FOR MAIL SERVER 1 ***</P><P>!</P><P>nat (dmz,outside) source static DMZ_MAILEDGE_SERVER2&nbsp; DMZ_EGDE2 description *** STATIC NAT FOR MAIL SERVER 2 ***</P><P></P><P>Below is the access-list </P><P></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 6 extended permit udp any object DMZ_MAILEDGE_SERVER1 eq domain (hitcnt=0) 0x8537fcbb</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 6 extended permit udp any host 172.16.1.2 eq domain (hitcnt=21) 0x8537fcbb</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 7 extended permit tcp any object DMZ_MAILEDGE_SERVER1 eq smtp (hitcnt=0) 0xef52a116</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 7 extended permit tcp any host 172.16.1.2 eq smtp (hitcnt=6) 0xef52a116</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 8 extended deny ip any object DMZ_MAILEDGE_SERVER1 (hitcnt=0) 0x0032faa5</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 8 extended deny ip any host 172.16.1.2 (hitcnt=1983) 0x0032faa5</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 9 extended permit tcp any object DMZ_MAILEDGE_SERVER2 eq https (hitcnt=0) 0x67a318d7</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 9 extended permit tcp any host 172.16.1.3 eq https (hitcnt=494) 0x67a318d7</SPAN></P><P><SPAN style="font-size: 8pt; color: #000000;">access-list outside_access_in line 10 extended deny ip any object DMZ_MAILEDGE_SERVER2 (hitcnt=0) 0x7c202607</SPAN></P><P><SPAN style="font-size: 8pt; color: #ff6600;">access-list outside_access_in line 10 extended deny ip any host 172.16.1.3 (hitcnt=1748) 0x7c202607.</SPAN></P><P></P><P>As you can see this works like a champ no issues at all! </P><P></P><P></P><P>But now I am been asked to implement scenario 2 where by the nat would be on one public ip only and ports opened for both inside servers.</P><P></P><P>Now I am not sure Cisco ASA has such dexterity of allowing me to static nat on a public IP for two servers and opening ports for them. Like I said, I am not sure but willing to get corrected of my thoughts. </P><P></P><P><SPAN style="font-size: 10pt;">I would appreciate any suggestions from anyone that could give me a clue of how to get this resolved.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks</SPAN></P><P><SPAN style="font-size: 10pt;">Tedd </SPAN></P> Tue, 12 Mar 2019 03:38:05 GMT https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395559#M270630 Azubuike Obiora 2019-03-12T03:38:05Z https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395560#M270632 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Please go through the following link ;</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-31116">https://supportforums.cisco.com/docs/DOC-31116</A></P><P></P><P>hope this helps you</P><P></P><P>Thanks</P></BODY></HTML> Thu, 30 Jan 2014 04:28:24 GMT https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395560#M270632 vishaw jasrotia 2014-01-30T04:28:24Z https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395561#M270638 <HTML><HEAD></HEAD><BODY><P>Hello Teddy,</P><P></P><P>Hopefully I understood it correctly but it would be</P><P></P><P>object network Inside-Server-1</P><P>host 172.16.1.2</P><P>object network Inside-Server-2</P><P>host 172.16.1.3</P><P></P><P>object network Outside1</P><P>host 12.12.13.2</P><P></P><P>object service SMTP</P><P>service tcp source eq 25</P><P></P><P>object service HTTPS</P><P>service tcp source eq 443</P><P></P><P>nat (inside,outside) 1 source static&nbsp; <SPAN style="font-size: 10pt;">Inside-Server-1 Outside1 service SMTP SMTP</SPAN></P><P>nat (inside,outside) 1 source static&nbsp; Inside-Server-2 Outside1 service HTTPS HTTPS</P><P></P><P></P><P>access-list <SPAN style="font-size: 10pt;">outside_access_in </SPAN><SPAN style="font-size: 10pt;">tcp any host 172.16.1.3 eq 443</SPAN></P><P>access-list outside_access_in permit tcp any host 172.16.1.2 eq 25</P><P></P><P></P><P>Looking for some Networking Assistance?&nbsp; <BR /><SPAN>Contact me directly at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />I will fix your problem ASAP. <BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura <BR /><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Thu, 30 Jan 2014 06:21:00 GMT https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395561#M270638 Julio Carvajal 2014-01-30T06:21:00Z https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395562#M270642 <HTML><HEAD></HEAD><BODY><P>Hi Guy!</P><P></P><P>@ Julio Thanks a lot! You are absolutely correct about it! It works like a champ!!! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN><SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>@ Vishaw thanks for sharing the document! Much appreciated! <SPAN __jive_emoticon_name="plus" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN><SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 30 Jan 2014 10:05:41 GMT https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395562#M270642 Azubuike Obiora 2014-01-30T10:05:41Z https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395563#M270648 <HTML><HEAD></HEAD><BODY><P>Always welcome... <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN><SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 31 Jan 2014 03:50:35 GMT https://community.cisco.com/t5/network-security/static-pat-port-forwding/m-p/2395563#M270648 vishaw jasrotia 2014-01-31T03:50:35Z