02-21-2020 01:54 PM
Hi,
i have vlans on my network that are natted to the outside to go on the internet, now i want to publish a server on the internet.
i have a public ip for the internet on a cisco ASA firewall interface, i want to add another public ip on the same interface, so that i can port forward to the server i want to publish through this new public ip?
is this possible? What are your suggestions please?
Thanks in advance!
Solved! Go to Solution.
02-25-2020 02:55 PM
Thank you so much, i will try it later on, and then reply here and accept solution if it worked, thanks again!
02-25-2020 11:30 PM
this wont affect the ip 1.1.1.1 on the interface 1?, because we are using the same interface which is fwoutinternet
02-26-2020 09:55 AM
it wont effect as RJ mentioned this already to you. make the change and test it. in order to test once you apple your configration.
packet-tracer input fwoutinternet tcp 8.8.8.8 12345 1.1.1.2 eq https
02-26-2020 10:04 AM
ASA# packet-tracer input FwoutTerra tcp 8.8.8.8 1234 1.1.1.2 443 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network OWApublish nat (FwInside,FwoutTerra) static 1.1.1.2 Additional Information: NAT divert to egress interface FwInside Untranslate 1.1.1.2/443 to 172.16.12.7/443 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUTSIDE_IN in interface FwoutTerra access-list OUTSIDE_IN extended permit tcp any host 172.16.12.7 eq https Additional Information: Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: SFR Subtype: Result: ALLOW Config: class-map class match any policy-map map class class sfr fail-open service-policy map global Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network OWApublish nat (FwInside,FwoutTerra) static 1.1.1.2 Additional Information: Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 46591092, packet dispatched to next module Result: output-interface: FwInside output-status: up output-line-status: up Action: allow
this is the output, seems everything is fine
02-26-2020 10:08 AM - edited 02-26-2020 10:09 AM
yes it look good. you should be good now. you nat rules is working accordingly.
02-26-2020 10:24 AM
but still i cant access https://1.1.1.2 from outside (on the internet)
02-26-2020 10:33 AM - edited 02-26-2020 10:36 AM
can you ping to this server from firewall 172.16.12.7. you nat rules are good and they allowing the traffic. your server 172.16.12.7 allows https traffic?
@AhmadZ the nat rule you define is called static one to one nat. this mean its a bi-directional rule. mean from inside to outside traffic and go to outsdie and from outside to inside traffic can come in.
how you are access the 172.16.12.7 is htis connected directily to ASA or there is a layers3 device in between?
02-26-2020 10:35 AM
yes there is ping from the firewall to 172.16.12.7, i think yes, but where can i check?
02-26-2020 10:47 AM
not sure about this, but i think the asa is connected a switch and then this switch to a server in which it has the vm where the server i want to publish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide