Re: ASA NAT setup question

dstjames123 · ‎01-24-2006

I am converting from a symantec enterprise firewall to a cisco asa 5510. Currently I have it setup so that any traffic designated for my external firewall port using port 80 gets directed to a web server and anything using port 25 gets directed to my smtp mail server. How do I set this up in the ASA? Do I have to use 2 external IP's each natted to the proper IP or can I share one like I am currently doing?

I have a few extra public IP's. I added one of them as a host and tried to configure it to nat to my internal web server and created a rule allowing port 80 traffic from any external entity to this web server. Every time I test it I get a tcp syn timeout.

I am a beginner with the cisco so I assume its something I am doing wrong. Anyone have any advice?

varakantam · ‎01-24-2006

I am not sure how it can be done in ASA but should be similar to how it is done in FWSM/PIX. What you need is Static PAT where you map the same global IP to different ports on indivudual app servers internally.

Following example would give you better idea about things

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/nat.htm#wp1159124

Hope this helps

dstjames123 · ‎01-25-2006

Thanks for the link. I think I have added the PAT lines I need but now I am getting ACL errors. I created a rule allowing all TCP port 80 traffic from the outside to my internal web server at 192.168.1.10. But I keep getting a TCP access denied by ACL from 192.168.1.49/1787 (my IP) to inside 69.220.58.91/80 (the IP of my external port on the firewall. Here are my access rules:

access-list outside_access_in extended permit tcp any host 69.220.58.91 eq www

access-list outside_access_out extended permit tcp host 69.220.58.91 any eq www

Again this is how it is setup on my symantec firewall so I dont understand why it doesnt work on the cisco.