cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1321
Views
0
Helpful
4
Replies
Dale Sanderson
Beginner

ASA 5520 NAT/PAT issue

Hi there,

I have an ASA5520 firewall and have the following already in place :

name 123.123.123.123 EXTERNAL-NAT
access-list OUTSIDE_OUT extended permit tcp host EXTERNAL-NAT host xxx eq 5061
access-list OUTSIDE_OUT extended permit udp host EXTERNAL-NAT host xxx eq 3478
access-list OUTSIDE_IN extended permit tcp any host EXTERNAL-NAT object-group PORTS
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT eq 3478
access-list OUTSIDE_IN extended permit udp any host EXTERNAL-NAT range 50000 59999
access-list OUTSIDE_IN extended permit udp host xxxx host EXTERNAL-NAT eq 3478
static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

Is it possible to forward ports 443 + 8080 on the above NAT ip to a different server; whilst leaving the remaining forwarding to INTERNAL in place?

I believe that I will need some kind of PAT rule but syntax is escaping me at present.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Maykol Rojas
Cisco Employee

Hello,

Unfortunately, what you are doing on this NAT

static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

Its called 1 to 1 mapping, which match all the ports to the Internal IP. If you would like to redirect port 80 and 8080, you will have to change that statement from being a one to one mapping to a port forward statement, meaning, from that public IP you are going to forward only some ports to certain IPs in order to avoid having to map everything,

Here is a quick example

no static (dmz,outside) EXTERNAL-NAT INTERNAL netmask 255.255.255.255

static (dmz,outside) tcp EXTERNAL-NAT 5061 INTERNAL 5061 netmask 255.255.255.255

static (dmz,outside) EXTERNAL-NAT 80 Webserver 80 netmask 255.255.255.255

and so on, if you have questions, just let me know.

Cheers

Mike

Mike

View solution in original post

4 REPLIES 4
Maykol Rojas
Cisco Employee