Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
0
Helpful
4
Replies

ASA 5520 NAT/PAT issue

Go to solution
Dale Sanderson
Level 1
Level 1

‎12-13-2010 06:13 AM - edited ‎03-11-2019 12:21 PM

Hi there,

I have an ASA5520 firewall and have the following already in place :

name 123.123.123.123 EXTERNAL-NAT
access-list OUTSIDE_OUT extended permit tcp host EXTERNAL-NAT host xxx eq 5061
access-list OUTSIDE_OUT extended permit udp host EXTERNAL-NAT host xxx eq 3478
access-list OUTSIDE_IN extended permit tcp any host EXTERNAL-NAT object-group PORTS
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT eq 3478
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT range 50000 59999
access-list OUTSIDE_IN extended permit udp host xxxx host EXTERNAL-NAT eq 3478
static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

Is it possible to forward ports 443 + 8080 on the above NAT ip to a different server; whilst leaving the remaining forwarding to INTERNAL in place?

I believe that I will need some kind of PAT rule but syntax is escaping me at present.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎12-13-2010 06:18 AM

Hello,

Unfortunately, what you are doing on this NAT

static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

Its called 1 to 1 mapping, which match all the ports to the Internal IP. If you would like to redirect port 80 and 8080, you will have to change that statement from being a one to one mapping to a port forward statement, meaning, from that public IP you are going to forward only some ports to certain IPs in order to avoid having to map everything,

Here is a quick example

no static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

static (dmz,outside) tcp EXTERNAL-NAT 5061 INTERNAL 5061 netmask 255.255.255.255

static (dmz,outside) EXTERNAL-NAT 80 Webserver 80 netmask 255.255.255.255

and so on, if you have questions, just let me know.

Cheers

Mike

Mike

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎12-13-2010 06:18 AM

Hello,

Unfortunately, what you are doing on this NAT

static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

Its called 1 to 1 mapping, which match all the ports to the Internal IP. If you would like to redirect port 80 and 8080, you will have to change that statement from being a one to one mapping to a port forward statement, meaning, from that public IP you are going to forward only some ports to certain IPs in order to avoid having to map everything,

Here is a quick example

no static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

static (dmz,outside) tcp EXTERNAL-NAT 5061 INTERNAL 5061 netmask 255.255.255.255

static (dmz,outside) EXTERNAL-NAT 80 Webserver 80 netmask 255.255.255.255

and so on, if you have questions, just let me know.

Cheers

Mike

Mike
0 Helpful

Go to solution
Dale Sanderson
Level 1
Level 1
In response to Maykol Rojas

‎12-13-2010 06:26 AM

Thanks very much Mike, that's worked a treat!

Cheers

0 Helpful

Go to solution
Dale Sanderson
Level 1
Level 1
In response to Dale Sanderson

‎12-14-2010 02:25 AM

Hi there,

Further to this, could anyone advise if it is possible to use port ranges within PAT statements?

Cheers

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dale Sanderson

‎12-14-2010 04:41 AM

With the version of code you are running, you can't configure port ranges for the PAT statement.

With version 8.3 and above, you can. However, the NAT feature has completely changed from this version.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card