02-05-2013 04:23 AM - edited 03-11-2019 05:56 PM
Hello All,
Im having an issue setting up Access through our firewall for external usage. Im not sure if its even possible.
So....
We have 1 external IP, say 80.80.80.80.
We have 3 internal Servers (10.0.0.1, 10.0.0.2, 10.0.0.3), 2 running web apps on ports 443 and one on 445.
We have 2 external locations (source IPs) London (50.50.50.50), Reading (60.60.60.60).
I want to be able to match the source address either london and reading and direct to the correct internal server, so 10.0.0.1 is for london and 10.0.0.2 is for reading both using the same IP and ports?
Is this possible, can the NAT rulles match on source IP?
Cheers
Craig
02-05-2013 04:38 AM
Hi,
Below is some configurations I tested when a similiar question was asked on these forums.
In the below configurations I attempted to test a situation where the where the source address from the public network would define which NAT would be used and therefore to which LAN host the connection woulld be forwarded to. Also the situation was limited to using only the single IP address configured on the ASA "outside/WAN" interface.
To my understanding this solution is hardly ideal when considering the firewall operation. I think the firewall actually warns about the overlaps and actually shows overlapping translations on the firewall.
Still I was able to test this from 2 different external hosts at the same time on my home network and it was working. I havent tested this in active use so I cant say for certain what kind of problems you might run into or if there is perhaps problems with the operation when multiple hosts are connecting and attempting all the different connections the NAT configurations are used for.
So below are the example configurations and later the clarifications on what they are supposed to do. This should be easy to apply to your specific setup
EDIT: The naming and parameters referring to destination and source might be a bit confusing. Naturally you can use the object names that make the most sense to you.
object network SOURCE1
host 1.2.3.4
object network SOURCE2
host 5.6.7.8
object network SERVER1
host 10.10.10.10
object network SERVER2
host 10.10.10.20
object service VNC
service tcp source eq 5900
nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC
nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC
access-list WAN-IN extended permit tcp object SOURCE1 object SERVER1 eq 5900
access-list WAN-IN extended permit tcp object SOURCE2 object SERVER2 eq 5900
access-group WAN-IN in interface WAN
Where
The above NAT commands basically state that
Hopefully the information has been helpfull
- Jouni
02-05-2013 06:03 AM
Hi Jouni,
This sounds along the right lines but where are you specifiying the external ip of the asa?
Is this possible to do with more than 1 ip assigned to the ASA, as in the above setup twice? so 4 sources, 2 connecting to 1 external ip and another 2 a dif external ip then forwarding to 4 different servers?
Cheers
Craig
02-05-2013 06:20 AM
Hi,
The external IP address is specified by the keyword "interface" in the NAT configurations. In other words it uses the ASA interface IP address. In my above case it would the public IP address of the "WAN" interface.
I can't see any problem using multiple IP addresses. The configuration format of the NAT changes only a bit naturally.
I would see the overlapping of the NAT configurations as the "big question" if this will be a stabile configuration in a production environment.
So to give you an example of using different IP addresses for the NAT configuration, the configuration could look something like this (If I understood correctly that is)
object network SOURCE1
host 1.2.3.4
object network SOURCE2
host 5.6.7.8
object network SOURCE3
host 9.10.11.12
object network SOURCE4
host 13.14.15.16
object network SERVER1
host 10.10.10.10
object network SERVER2
host 10.10.10.20
object network SERVER3
host 10.10.10.30
object network SERVER4
host 10.10.10.40
object service VNC
service tcp source eq 5900
object network PUBLIC-IP-2
host x.x.x.x
nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC
nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC
nat (LAN,WAN) source static SERVER3 PUBLIC-IP-2 destination static SOURCE3 SOURCE3 service VNC VNC
nat (LAN,WAN) source static SERVER4 PUBLIC-IP-2 destination static SOURCE4 SOURCE4 service VNC VNC
And the corresponding ACL statemens to open the traffic.
Where
I got to say that I havent labbed this exact situation (I might be able to at some point) but I'd expect it to work just like the previous setup I have tested briefly. But again I have to stress that I'm not sure how this performs in production environment in constant use.
Hopefully the above information has been helpfull. Please rate if helpfull and ask more if needed ofcourse
If you do get to test this and see that its working, please mark the question as answered.
- Jouni
02-05-2013 06:33 AM
Cheers Jouni,
What do you think the issues might be with the overlapped NAT, if it matches on source IP then surely they are different NAT's?
Craig
02-05-2013 06:38 AM
Hi,
When I originally used my home "lab" to test this setup out I only did some limited checking of how the ASA views these translations on the xlate table.
When I briefly tested the setup with VNC connections from 2 different external hosts at the same time I got the feeling that the connections were a bit lagging and unresponsive at times. Thats why I'm kinda hesitant in recommending this, atleast until I have tested it more.
I do see your logic on the source IP address making sure that it truly isnt overlapping with something and that would be how I would personally expect it to work too. But I'm too paranoid to say anything for sure until I have tested it
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide