Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
5
Helpful
7
Replies

ASA5515 Port mapping

Go to solution
arthur_andales
Level 1
Level 1

‎01-18-2018 03:22 AM - edited ‎02-21-2020 07:09 AM

ASA5515 

ASA version 9.2(2)4

 

I am a newbie and this is my first post.

We currently run out of Public IPs and we need to publish another service.

Here is the current access list and nat.

 

access-list out-in extended permit tcp any host Internal_Host_A
access-list out-in extended permit tcp any host Internal_Host_B
access-list out-in extended permit tcp any host Internal_Host_C
access-list out-in extended permit tcp any host Internal_Host_D

access-list out-in extended permit tcp any host Internal_Host_E (newly added host)

 

 
nat (inside,Outside) source static OBJ-Internal_Host_A OBJ-External_IP_A 
nat (inside,Outside) source static OBJ-Internal_Host_B OBJ-External_IP_B 
nat (inside,Outside) source static OBJ-Internal_Host_C OBJ-External_IP_C 
nat (inside,Outside) source static obj-Internal_Host_D  obj-External_IP_D
nat (inside,Outside) source dynamic obj-Internal_Host_E OBJ-External_IP_C 1433 (i added this but not working obviously)

 

 

We need to Publish both Internal_Host_C and Internal_Host_E to External_IP_C with different ports

Internal_Host_C need to be mapped to the following ports 80, 443, 8443, 2202 and 3306

Internal_Host_E only need to be map to port 1433

How do I accomplish this in step by step.

I prefer to do it by cli if possible.

 

By the way from Host A - D, all is published and working currently. 

Thank you

 

Arthur

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-18-2018 06:05 PM

Hi 

 

Here a sample config

 

no nat (inside,Outside) source static OBJ-Internal_Host_C OBJ-External_IP_C 

--> remove that nat to be able to use this public ip for different devices on different private IP.

!

object network Internal_Host_C-TCP80
 nat (Inside,Outside) static OBJ-External_IP_C service tcp 80 80

!

object network Internal_Host_C-TCP443
 nat (Inside,Outside) static OBJ-External_IP_C service tcp 443 443

....

You'll need to create 1 object per port and do the nat on the object like the example.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to arthur_andales

‎01-23-2018 09:41 AM

If you want to filter the source of which public ip can access your internal host, then in your acl outside you pasted, replace any by the ip.
Is this clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-18-2018 06:05 PM

Hi 

 

Here a sample config

 

no nat (inside,Outside) source static OBJ-Internal_Host_C OBJ-External_IP_C 

--> remove that nat to be able to use this public ip for different devices on different private IP.

!

object network Internal_Host_C-TCP80
 nat (Inside,Outside) static OBJ-External_IP_C service tcp 80 80

!

object network Internal_Host_C-TCP443
 nat (Inside,Outside) static OBJ-External_IP_C service tcp 443 443

....

You'll need to create 1 object per port and do the nat on the object like the example.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
arthur_andales
Level 1
Level 1
In response to Francesco Molino

‎01-20-2018 09:36 PM

Hi Francesco,

 

Thank you for the sample config, it was very helpful. It is working as it should be now.

Is it possible to lockdown the access to my host at port 1433 to only a known client's IP?

 

Thanks again.

Arthur

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to arthur_andales

‎01-21-2018 08:50 AM

Yes, you would have to config an ACE (1 line) in your outside ACL to limit traffic to your internal service for port 1433 from only 1 public IP.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
arthur_andales
Level 1
Level 1
In response to Francesco Molino

‎01-23-2018 02:53 AM

Hi Francesco,

 

from our previous  config that is working now

object network obj-Internal_Host_E-TCP1433
nat (inside,Outside) static OBJ-External_IP_C service tcp 1433 1433

 

The access list pointing to Internal_Host_E 

access-list out-in extended permit tcp any host Internal_Host_E 1433

access-group out-in in interface Outside

 

What should i change on this one?

 

Regards.

Arthur

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to arthur_andales

‎01-23-2018 09:41 AM

If you want to filter the source of which public ip can access your internal host, then in your acl outside you pasted, replace any by the ip.
Is this clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
arthur_andales
Level 1
Level 1
In response to Francesco Molino

‎01-23-2018 09:12 PM

Hi Francesco,

 

I appreciate your help. Yes it is clear to me now.

Regards.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to arthur_andales

‎01-24-2018 02:20 PM

you're welcome!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card