Solved: ASA 5520, fw8.3 -->> NAT + Port Forward <<--

sorin.dab · ‎10-12-2010

I am facing a problem with the new ASA fw 8.3 , i am trying to create a port forward that would allow me to port forward from outside to the inside a specific port, but also NAT from the inside, all UDP + TCP established for internet access, but this new fw will not let me ...

I have the following setup

Internet -> ASA -> Server

Internet : http://www.mysite.com
ASA : Translate 190.0.0.1 to 10.0.0.1 from port 80 to port 8080 internal
Server : I have port 8080 open and i need also full UDP internet access throughout ip 190.0.0.1 , also all established TCP sessions must go through the ASA ..

I managed just to port forward the 8080 to 80 ...but when i try to add the dns service and all upd everything comes crashing... if i add the second object group it only accepts that one and drops my previous 8080 to 80 redirect...do i have to buy a router to do the job ?

object network mysite.com-80

host 10.0.0.1

object network mysite.com-dns

host 10.0.0.1

object network mysite.com-80

nat (inside,outside) static 190.0.0.1 service tcp 8080 www

object network mysite.com-dns

nat (inside,outside) static 190.0.0.1 service dns

help ?!

Panos Kampanakis · ‎10-14-2010

OK, keep the PAT rule and have your host belong to the dynamicnat config you have for the internal hosts going out

object network mysite.com-80

nat (inside,outside) static 190.0.0.1 service tcp 8080 www

object network

nat (inside,outside) dynamic interface

Then the host will be PATted when going out and PATter for the 8080 ports.

I hope it solves it now.

Panos

View solution in original post

Kureli Sankar · ‎10-12-2010

It should be

object network mysite.com-dns

nat (inside,outside) static 190.0.0.1 service udp dns dns

refer: https://supportforums.cisco.com/docs/DOC-9129

-KS

sorin.dab · ‎10-13-2010

That did not work , after adding that line i still don't have ICMP/DNS ..and other services from the server to the outside ...basically only the port forward works , nat from inside-> outside fails

Panos Kampanakis · ‎10-13-2010

If you don't just want to PAT and you want to NAT (all ports for this host) inbound and outbound you will need

object network mysite.com-dns

nat (inside,outside) static 190.0.0.

Also, make sure your outside ACL permit traffic to the local ip of mysite.com-dns.

Let us know if helps.

PK

sorin.dab · ‎10-14-2010

That does not fix my problem .

So to quickly review :

I have a webserver running on port 8080 that i want port forwarded to the external 80 port so the websites works, and in the same time have nat working so that the server has internet access via NAT . If i add that line nat (inside,outside) static 190.0.0. it only takes that one and ignores the port forward ...

I have the ACL permiting the local ip ...

Panos Kampanakis · ‎10-14-2010

OK, keep the PAT rule and have your host belong to the dynamicnat config you have for the internal hosts going out

object network mysite.com-80

nat (inside,outside) static 190.0.0.1 service tcp 8080 www

object network

nat (inside,outside) dynamic interface

Then the host will be PATted when going out and PATter for the 8080 ports.

I hope it solves it now.

Panos

Kureli Sankar · ‎10-14-2010

Are you asking how you make the inside host look like190.0.0.1 when it goes out as well as do the PAT 8080 to 80. If so you need to have both as "manual nat". Make sure to add the PAT line before the static 1-1.

object network mysite.com-80

nat (inside,outside) static 190.0.0.1 service tcp 8080 www

object network mysite.com

nat (inside,outside) static 190.0.0.1

Make sure to creat an object mysite.com and have the same host inside it as the mysite.com-80 object.

-KS