11-02-2011 11:44 AM - edited 03-11-2019 02:45 PM
I have a site with a web server (192.168.1.10) needs 80 and 443. Then I have a phone system (192.168.1.11) that needs tftp and rtp traffic (ports 10000-20000). finally I have a terminal server needing RDP 3389. now I only have one external IP address that is feed via DHCP from the provider (i use DynDNS). What is the best solution to open and direct all of the ports to the appropriate server. i am really not looking forward to adding 10k nat rules for all the rtp traffic.
11-02-2011 04:01 PM
Hello,
I assume that the IP is the one that is on the interface of the outside right? I see a problem here and it is that you will need to change the ssl port in order to access ASDM from the outside. But besides that, the good port forwarding can help you to overcome this issue:
8.4 code
object service TFTP
service tcp source eq 69
object service RTP-PORTS
service udp range source 10000 20000
object service HTTP
service tcp source eq 80
object service HTTPS
service tcp source eq 443
object service RDP
service tcp source eq 3389
object network RDP-server
host x.x.x.x
object network Web-server
host 192.168.1.10
object network Voice-server
host 192.168.1.11
nat (inside,outside) 1 source static Voice-server interface service RTP-PORTS RTP-PORTS
nat (inside,outside) 1 source static Voice-server interface service TFTP TFTP
nat (inside,outside) 1 source static Web-server interface service HTTPS
nat (inside,outside) 1 source static Web-server interface service HTTP
nat (inside,outside) 1 source static RDP-server interface service RDP RDP
Where line 1 is the position on the NAT list in order to be review by the ASA code and create the translations (Also assuming the names of the interfaces are inside (LAN) and outside (WAN)
8.2 code the NAT with the range of ports is not supported, that means you will need to add 10000 lines not very good idea, but the other ones will work as this:
static (inside,outside) tcp interface 3389 x.x.x.x 3389
static (inside,outside) udp interface 69 192.168.1.11 69
static (inside,outside) tcp interface 80 192.168.1.10 80
static (inside,outside) tcp interface 443 192.168.1.10 443
For versions 8.2 and below, in the access list you will need to allow traffic to the interface IP address itself, for versions 8.3 and newer, you will need to add and access-list pointing to the private IP.
Example of 8.2
access-list inbound permit tcp any interface outside eq 80
Example of 8.3
access-list inbound permit tcp any host 192.168.1.10 eq 80
access-groups are applied the same
access-group inbound in interface outside
Here are some documents that will help you out.
Cofiguring NAT on the security Appliance using version 8.4
https://supportforums.cisco.com/videos/1078
8.2 Vs 8.4 NAT statements:
https://supportforums.cisco.com/docs/DOC-12690
If you have any doubts, let me know.
Mike
05-06-2012 02:38 AM
Hi
I just needed the same setup on my asa, but this did not wok on my asa 8.4
To make my nat function right i needed to put :
|
this is for the server to listen to incoming on port 25.
why does the setup
nat (inside,outside) 1 source static Web-server interface service HTTPS not work ?
i tried like the example :
nat (Byggmakker,Outside) source static *myprivateip* *my official ip* service FTP_nat FTP_nat
but it does not work. why ?
br
Tuva
05-06-2012 06:50 PM
Tuva,
That is because I have an error on the configuration I posted back in November. The correct statement will be with source keyword inside the object rather than destination. I am editing as I am typing.
object service HTTPS
service tcp destination eq 443
Correct one
object service HTTPS
service tcp Source eq 443
That is why it works for you if you put it (outside,Byggmakker) and you specify the destination on the stament. Change the service object for source and it will work.
Mike
05-07-2012 01:14 AM
Thanks for reply – does it really matter if I’ll let itt stay the way it does ? ☺
Mvh
Tuva
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide