12-13-2010 06:13 AM - edited 03-11-2019 12:21 PM
Hi there,
I have an ASA5520 firewall and have the following already in place :
name 123.123.123.123 EXTERNAL-NAT
access-list OUTSIDE_OUT extended permit tcp host EXTERNAL-NAT host xxx eq 5061
access-list OUTSIDE_OUT extended permit udp host EXTERNAL-NAT host xxx eq 3478
access-list OUTSIDE_IN extended permit tcp any host EXTERNAL-NAT object-group PORTS
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT eq 3478
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT range 50000 59999
access-list OUTSIDE_IN extended permit udp host xxxx host EXTERNAL-NAT eq 3478
static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255
Is it possible to forward ports 443 + 8080 on the above NAT ip to a different server; whilst leaving the remaining forwarding to INTERNAL in place?
I believe that I will need some kind of PAT rule but syntax is escaping me at present.
Thanks in advance.
Solved! Go to Solution.
12-13-2010 06:18 AM
Hello,
Unfortunately, what you are doing on this NAT
static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255
Its called 1 to 1 mapping, which match all the ports to the Internal IP. If you would like to redirect port 80 and 8080, you will have to change that statement from being a one to one mapping to a port forward statement, meaning, from that public IP you are going to forward only some ports to certain IPs in order to avoid having to map everything,
Here is a quick example
no static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255
static (dmz,outside) tcp EXTERNAL-NAT 5061 INTERNAL 5061 netmask 255.255.255.255
static (dmz,outside) EXTERNAL-NAT 80 Webserver 80 netmask 255.255.255.255
and so on, if you have questions, just let me know.
Cheers
Mike
12-13-2010 06:18 AM
Hello,
Unfortunately, what you are doing on this NAT
static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255
Its called 1 to 1 mapping, which match all the ports to the Internal IP. If you would like to redirect port 80 and 8080, you will have to change that statement from being a one to one mapping to a port forward statement, meaning, from that public IP you are going to forward only some ports to certain IPs in order to avoid having to map everything,
Here is a quick example
no static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255
static (dmz,outside) tcp EXTERNAL-NAT 5061 INTERNAL 5061 netmask 255.255.255.255
static (dmz,outside) EXTERNAL-NAT 80 Webserver 80 netmask 255.255.255.255
and so on, if you have questions, just let me know.
Cheers
Mike
12-13-2010 06:26 AM
Thanks very much Mike, that's worked a treat!
Cheers
12-14-2010 02:25 AM
Hi there,
Further to this, could anyone advise if it is possible to use port ranges within PAT statements?
Cheers
12-14-2010 04:41 AM
With the version of code you are running, you can't configure port ranges for the PAT statement.
With version 8.3 and above, you can. However, the NAT feature has completely changed from this version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide