07-12-2016 07:10 PM - edited 03-12-2019 01:01 AM
I need to configure a ASA so that traffic for a internal server say 192.168.1.250 port 8801 can be accessed using the public IP. I want only specifically the ports needed to be routed to this internal server address. If I add a static NAT route in the ASDM that doesn't specify any PAT then it works, but it routes all ports when using the external IP internally. As soon as I enable the PAT setting and specify the TCP port it no longer works.
07-12-2016 10:02 PM
Hi
Can you share the config snippet ?
You just need to have a static PAT statement :
static( inside,outside)
This statement would only use the port 8081 and in addition to this you need to open an
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-13-2016 08:26 PM
Hi,
The interface would need to be inside, inside would it not?
We're trying to access a server on the internal network but use the public IP address. So hairpin, the ASA needs to take the traffic say from the LAN Network on a device which is accessing a server on that LAN but via the public IP address.
So 192.168.1.100 (Client) is accessing 192.168.1.200:8801 on the public IP of say 64.25.24.12:8801 both the client and server are on the same LAN, but must be accessed via the public IP and Split DNS isn't an option.
The NAT Route works as long as I don't specify PAT forwarding, when I create the rule in ASDM Configuration > Firewall > NAT Rules > Add
Original: Interface inside
Source: 192.168.5.250 (Server IP)
Translate: Interface inside
Use IP Address: 75.75.75.75 (Example Public IP)
Then select ok, it forwards all traffic internally that you use the Public IP for to the server no problem. But I don't want it to forward all local traffic, only traffic on the specific port 8801. If there's no other rule setup for another port then it shouldn't hairpin it.
However if on that same rule I tell it to do PAT and give it the TCP ports and apply it, it no longer works.
07-13-2016 10:16 PM
Hi
Please use the following config:
static (inside,inside) tcp <public> <port> <web server private IP> <port>
and also same-security-traffic permit intra-interface
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-13-2016 10:40 PM
I believe this would do the same as what I mentioned in ASDM? It seems if you don't specify a port when doing the setting in ASDM it works but as soon as you do it by specifying a port it doesn't work. Would there be an ACL or something preventing it from working when you specify a port vs just having it forward all traffic?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide