10-16-2013 07:45 AM - edited 03-11-2019 07:52 PM
Dear. I am using ASA 8.6. I would like to know if I want to public IP 1.1.1.1 redirect to internal server 192.168.1.1 only for both port 80 and 443. Is below is the correct command I need to place to ASA? Please advise
object-group service internet-port tcp
port-object eq www
port-object eq https
object network test-server
host 192.168.1.1
object network test-server
nat (inside,outside) static 1.1.1.1 object-group internet-port
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 100 extended permit object-group TCPUDP any object test-server object-group internet-port
access-group 100 in interface outside
Solved! Go to Solution.
10-16-2013 08:40 AM
Hi,
I dont think you can use the configuration you mentioned
You would have to create 2 separate Static PAT (Port Forward) configurations
object network STATIC-PAT-TCP80
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 80 80
object network STATIC-PAT-TCP443
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 443 443
I would also suggest an ACL name that refers to the actualy interface
access-list OUTSIDE-IN remark Allow HTTP and HTTPS
access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP80 eq 80
access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP443 eq 443
access-group OUTSIDE-IN in interface outside
Its not quite clear if you have a free public IP address for this server or you would use the current "outside" interface IP address. If you have a free public IP address you could just configure static NAT
object network STATIC-NAT
host 192.168.1.1
nat (inside,outside) static 1.1.1.1
access-list OUTSIDE-IN remark Allow HTTP and HTTPS
access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 80
access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 443
access-group OUTSIDE-IN in interface outside
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-16-2013 08:40 AM
Hi,
I dont think you can use the configuration you mentioned
You would have to create 2 separate Static PAT (Port Forward) configurations
object network STATIC-PAT-TCP80
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 80 80
object network STATIC-PAT-TCP443
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 443 443
I would also suggest an ACL name that refers to the actualy interface
access-list OUTSIDE-IN remark Allow HTTP and HTTPS
access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP80 eq 80
access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP443 eq 443
access-group OUTSIDE-IN in interface outside
Its not quite clear if you have a free public IP address for this server or you would use the current "outside" interface IP address. If you have a free public IP address you could just configure static NAT
object network STATIC-NAT
host 192.168.1.1
nat (inside,outside) static 1.1.1.1
access-list OUTSIDE-IN remark Allow HTTP and HTTPS
access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 80
access-list OUTSIDE-IN permit tcp any object STATIC-NAT eq 443
access-group OUTSIDE-IN in interface outside
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
01-15-2014 09:30 AM
Dear Jouni,
As per your suggested configuration,
object network STATIC-PAT-TCP80
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 80 80
object network STATIC-PAT-TCP443
host 192.168.1.1
nat (inside,outside) static 1.1.1.1 service tcp 443 443
I did the same but when I do show run, I am able to see only one nat for 443 not for port 80. Can you please confirm whether it is right. Also, I saw somewhere following config which I did, but it is not working as well. Please suggest.
Public IP - 1.1.1.1
Private IP1 - 192.168.1.10 Port http
Private IP1 - 192.168.1.20 Port SMTP
Configuration -
***********************************************
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.1.10
host 192.168.1.10
object network obj-1.1.1.1
host 1.1.1.1
object service HTTP
service tcp source eq http
object service SMTP
service tcp source eq SMTP
***********************************************
nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP
nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP
***********************************************
acces-list outside extended permit tcp any host 192.168.1.10 eq http
acces-list outside extended permit tcp any host 192.168.1.10 eq http
***********************************************
Thank You,
Abhisar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide