topic Diverting some traffic from the ASA's public IP, to the DMZ in Network Security

Diverting some traffic from the ASA's public IP, to the DMZ

David Tamburin — Tue, 12 Mar 2019 01:42:45 GMT

Hey all, any ideas would be great.

Scenario:

ASA has outside interface with a public IP, say 1.1.1.1 (This IP is global natted so people can access the internet, etc)

global (outside) 1 1.1.1.1

I need to open up port 443 for a few external servers to hit a server on our DMZ with a private IP 192.168.100.100.

access-list outside_in extended permit tcp 2.2.2.2 host 1.1.1.1 eq https

access-list outside_in extended permit tcp 2.2.2.3 host 1.1.1.1 eq https

I need all the rest of the traffic to continue to do whatever it is doing.

I am thinking there is some sort of translation I can to do to accomplish this, any ideas?

Clarification....

I have two outside servers, say 2.2.2.2 and 2.2.2.3 they need to access 192.168.100.100 on our DMZ buy using the ASA's outside public ip 1.1.1.1

How can I do this, only diverting traffic from the 2 external servers and not all external servers.

static (DMZ, outside) 1.1.1.1 192.168.100.100 255.255.255.255 wont work as that just translates everything.

Thank you,

David

Diverting some traffic from the ASA's public IP, to the DMZ

Jouni Forss — Mon, 13 May 2013 18:00:52 GMT

Hi,

You can use the following configuration

static (DMZ,outside) tcp interface https 192.168.100.100 https netmask 255.255.255.255

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq https

access-list outside_in permit tcp host 2.2.2.3 host 1.1.1.1 eq https

This will essentially forward the port TCP/443 from the ASA "outside" IP address to the "DMZ" IP address of 192.168.100.100. This applies to any source addresses on the public network BUT to be honest it doesnt matter as it doesnt change anything for the "DMZ" or "inside" users you might have.

And additionally the ACL is already controlling which hosts can access this port TCP/443

Hope this helps

Please remember to mark the reply as the correct answer if it was. And/or rate helpfull answers

- Jouni

Diverting some traffic from the ASA's public IP, to the DMZ

Jouni Forss — Mon, 13 May 2013 18:04:32 GMT

If you for some reason still want to apply this NAT only for those mention public IP addresses then I think the configuration might be something like this

access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.2

access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.3

static (DMZ,outside) tcp interface https access-list DMZ-POLICY-NAT

- Jouni