ā09-19-2012 05:39 AM - edited ā03-11-2019 04:56 PM
Hello Clever Guys,
I've been dealing with this scenario, I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
Interfaces
ETH0/0 = outside = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15
ETH0/2 = DMZ = shutdown -> not in use
Management0/0 = management = 192.168.xx.xx
Public IP = 189.xx.xx.129
Internal IP range = 10.xx.xx.1
internal Sip server = 10.xx.xx.6
internal www on 8080= 10.xx.xx.61
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
Thanks in advance.
Aleandro.
ā09-20-2012 06:25 AM
Here is the configuration:
object network obj-sipserver
host 10.x.x.6
nat (inside,outside) static interface service udp 5060 5060
object network obj-www
host 10.x.x.61
nat (inside,outside) static interface service tcp 8080 8080
I am assuming that SIP uses UDP/5060, but if you are using different ports and/or protocols, just change it accordingly.
Then ACL on the outside interface to allow those services.
ā11-15-2012 05:04 AM
How would this look if i had more than one IP that i want to use on the outside inter face?
Something like this?
Lets say the IP of the outside interface is 192.168.10.10 and i want to use 192.168.10.11 for www.
object network obj-www
host 10.x.x.61
nat (inside,outside) static 192.168.10.11 service tcp 8080 8080
Can i create as many of these for servers that i want to open to the outside as long as the ports do not conflict?
I also have a question on tcp 80 8080. Do i put the service port first and then the mapped port. for example if i want to just surf to www would 80 be first?
/H
ā11-16-2012 04:26 AM
Yes, you are right, Hilmar.
You are create as many servers as you like as long as the port does not conflict.
If you want to change the port number, then the real port comes first and the mapped port will come second.
ā11-16-2012 11:50 AM
Hello Jennifer,
I did exactly what you've suggested, but it didnt work. Should I need to create any rule on my access list to permit this traffic ?
Also, in my case, is it possible to have port a different public IP (in the same subnet) redirecting to an internal server like Hilmar said ?
I have a 60 Public IP's available, but I do not know how to configure it on this ASA Box to accept incomiing traffic and redirect to my internal servers.
ETH0/0 = outside = 189.xxx.xxx.129 - 189.xxx.xxx.189
Thanks,
/Aleandro
ā11-17-2012 05:26 AM
Hi Aleandro,
Yes, you would also need to configure access-list on the outside interface to permit the traffic.
Yes, you can also use a different public IP redirecting to an internal server.
You can configure 1:1 static and here is an example:
object network obj-sipserver
host 10.x.x.6
nat (inside,outside) static189.xxx.xxx.abc
Then access-list on the outside would say as follows:
access-list
access-list
access-group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide