Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
2
Replies

Cannot get setup properly with port forwarding one public ip to multiple servers on the inside.

Thomas_s
Level 1
Level 1

‎02-23-2018 05:39 AM - edited ‎02-21-2020 07:24 AM

ASA5505, ASDM 7.5(2)153, ASA 9.1(7)

 

I have tried multiple times, but I simply can't figure out how I can get it to work properly.

Situation is as follows: One Public IP on the Outside and multiple clients and servers on the inside on a single subnet.

 

We need to forward (App-srv, ip 192.168.0.5) ports tcp/5222-5223 and ports tcp-udp/1194

and

(Web-srv, ip 192.168.0.6) ports tcp/80 and tcp/443

 

I've mainly used ASDM since I'm completely fresh on using Cisco.

 

At the moment I've got it partly working (but I know I won't be able to get full function, untill I redo everything). I've made a network object host to the App-srv and then I've used "Add automatic adress translation rules" "Static, translated addr: outside"and also advanced setting of "Translate DNS replies for rule" so we could get access to the server using name.

 

I would prefer ASDM, but I assume I need to use Cli instead?

 

Please help me get this sorted out.

Labels:
0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎02-23-2018 05:54 AM

you can do an object nat for example:

 

and the only allow the ports you want to open up through an access list on your outside interface.

 

i would start with ASDM as its a bit more intuitive than CLI, buut not everyone would agree with me on that one

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

if y

 

object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) dynamic interface
!
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
 nat (dmz,outside) dynamic interface

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Thomas_s
Level 1
Level 1
In response to Dennis Mink

‎02-23-2018 06:05 AM

Is it possible without configuring a port for DMZ, or is it just the easier way? Currently we only use 2 ports on the asa outside e0/0 and inside e0/1. The e0/1 is then connected to a switch, which then is cabled with only 1 cable to a larger switch inside the server cabinet. I would assume DMZ is probably best practice, but as it is now I can easily get AD group policy's on the webserver to only allow access to were I want it to have access.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card