ASA 5510 - How PAT with ONE public IP to TWO internal servers (SIP and 8080)

aleandrobr · ‎09-19-2012

Hello Clever Guys,

I've been dealing with this scenario, I've tried a bunch things but it didn't work, I'm about to gave up! :-/

I have the following scenario:

ASA5510 - v8.3(2)

Interfaces

ETH0/0 = outside = 189.xxx.xxx.129

ETH0/1 = inside = 10.xx.1.15

ETH0/2 = DMZ = shutdown -> not in use

Management0/0 = management = 192.168.xx.xx

Public IP = 189.xx.xx.129

Internal IP range = 10.xx.xx.1

internal Sip server = 10.xx.xx.6

internal www on 8080= 10.xx.xx.61

What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?

Thanks in advance.

Aleandro.

Jennifer Halim · ‎09-20-2012

Here is the configuration:

object network obj-sipserver

host 10.x.x.6

nat (inside,outside) static interface service udp 5060 5060

object network obj-www

host 10.x.x.61

nat (inside,outside) static interface service tcp 8080 8080

I am assuming that SIP uses UDP/5060, but if you are using different ports and/or protocols, just change it accordingly.

Then ACL on the outside interface to allow those services.

IT Asitis · ‎11-15-2012

How would this look if i had more than one IP that i want to use on the outside inter face?

Something like this?

Lets say the IP of the outside interface is 192.168.10.10 and i want to use 192.168.10.11 for www.

object network obj-www

host 10.x.x.61

nat (inside,outside) static 192.168.10.11 service tcp 8080 8080

Can i create as many of these for servers that i want to open to the outside as long as the ports do not conflict?

I also have a question on tcp 80 8080. Do i put the service port first and then the mapped port. for example if i want to just surf to www would 80 be first?

/H

Jennifer Halim · ‎11-16-2012

Yes, you are right, Hilmar.

You are create as many servers as you like as long as the port does not conflict.

If you want to change the port number, then the real port comes first and the mapped port will come second.

aleandrobr · ‎11-16-2012

Hello Jennifer,

I did exactly what you've suggested, but it didnt work. Should I need to create any rule on my access list to permit this traffic ?

Also, in my case, is it possible to have port a different public IP (in the same subnet) redirecting to an internal server like Hilmar said ?

I have a 60 Public IP's available, but I do not know how to configure it on this ASA Box to accept incomiing traffic and redirect to my internal servers.

ETH0/0 = outside = 189.xxx.xxx.129 - 189.xxx.xxx.189

Thanks,

/Aleandro

Jennifer Halim · ‎11-17-2012

Hi Aleandro,

Yes, you would also need to configure access-list on the outside interface to permit the traffic.

Yes, you can also use a different public IP redirecting to an internal server.

You can configure 1:1 static and here is an example:

object network obj-sipserver

host 10.x.x.6

nat (inside,outside) static189.xxx.xxx.abc

Then access-list on the outside would say as follows:

access-list permit udp any object obj-sipserver eq 5060

access-list permit tcp any object obj-sipserver eq 5060

access-group in interface outside