10-02-2020 07:41 AM
Hello everybody,
today I need your advice regarding a port redirection on ASA5506 running 9.12(4)2.
The customer wants give access to an internal server 192.168.100.33 on the inside interface
on port 443 and 3478 to outside users by accessing a second public IP address x.y.z.91
by using the same port numbers.
Relevant configuration lines:
interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.100.3 255.255.255.0 ! interface GigabitEthernet1/8 nameif connectip security-level 0 ip address x.y.z.90 255.255.255.248 ! ... object network connectip-x.y.z.91 host x.y.z.91 ... object network obj-host-nat-192.168.100.33-443 host 192.168.100.33 ... object network obj-host-nat-192.168.100.33-3478 host 192.168.100.33 ... object network obj-host-nat-192.168.100.33-443 nat (inside,connectip) static connectip-x.y.z.91 service tcp https https ... object network obj-host-nat-192.168.100.33-3478 nat (inside,connectip) static connectip-x.y.z.91 service tcp 3478 3478 ... access-list connectip_access_in extended permit ip any any ... access-group connectip_access_in in interface connectip
The second public IP address is in the range given by the ISP x.y.z.90 255.255.255.248.
My questions:
1. Is this possible at all?
2. Is it not necessary to have a separate public IP address for each port he want to redirect?
3. Can you see a configuration mistake?
I have attached the whole configuration in the hope you can give advice.
Thanks a lot for every hint!!!
Bye
T.
Solved! Go to Solution.
10-02-2020 07:49 AM
Hi @swscco001
The configuration you provided looks ok and should work. Are you experiencing an issue? If you are run packet-tracer from the CLI and provide the output for review.
You do not need a separate public IP address for each port to be redirected.
HTH
10-07-2020 11:51 AM
I would be very worried if i have this rule in my firewall.
interface GigabitEthernet1/8 nameif connectip security-level 0 ip address x.y.z.90 255.255.255.248 ! access-list connectip_access_in extended permit ip any any access-list connectip_access_in extended permit object-group DM_INLINE_SERVICE_2 any any access-list connectip_access_in extended deny tcp any any object-group Netbios-TCP access-list connectip_access_in extended deny udp any any object-group Netbios-UDP ! access-group connectip_access_in in interface connectip
have you tested this with packet tracer..
packet-tracer input connectip tcp 8.8.8.8 12345 a.b.c.138 443 transmit
looking in to your capture you are receving RST. i could be the server at your end resting the connection.
10-02-2020 07:49 AM
Hi @swscco001
The configuration you provided looks ok and should work. Are you experiencing an issue? If you are run packet-tracer from the CLI and provide the output for review.
You do not need a separate public IP address for each port to be redirected.
HTH
10-07-2020 05:23 AM
Hi Rob,
thanks for the hints!
When I trace on the outside interface "connectip" I see that when the remote public IP a.b.c.138 sends a TCP SYN
the second public IP address x.y.z.91 of the ASA answers with TCP RST,ACK immediately! (see attached screen dump)
If the access is coming from the public IP-Adr. outside to the second public IP address x.y.z.91 is the nat
command not wrong in this case?
Should it not be:
object network connectip-x.y.z.91
nat (connectip,inside) static obj-host-nat-192.168.100.33-443 service tcp https https
...
object network connectip-x.y.z.91
nat (connectip,inside) static obj-host-nat-192.168.100.33-3478 service tcp 3478 3478
I'd like to hear you opinion!
Thanks a lot!
Bye
T.
10-07-2020 11:51 AM
I would be very worried if i have this rule in my firewall.
interface GigabitEthernet1/8 nameif connectip security-level 0 ip address x.y.z.90 255.255.255.248 ! access-list connectip_access_in extended permit ip any any access-list connectip_access_in extended permit object-group DM_INLINE_SERVICE_2 any any access-list connectip_access_in extended deny tcp any any object-group Netbios-TCP access-list connectip_access_in extended deny udp any any object-group Netbios-UDP ! access-group connectip_access_in in interface connectip
have you tested this with packet tracer..
packet-tracer input connectip tcp 8.8.8.8 12345 a.b.c.138 443 transmit
looking in to your capture you are receving RST. i could be the server at your end resting the connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide