Solved: Change the port number going into ASA arriving on outside interface

chris · ‎10-21-2011

I need to change all traffic coming from the outside inteface destined for IP x.x.x.x on port 443, so that it will be sent to the server x.x.x.x on the inside on port 8443 instead. This will also then need to be sent back out of the firewall using port 443 again. I am unsure of the command to use to do this. I know that if I were attempting to do the same from the inside out I could use a static like the following:

static (inside,outside) tcp x.x.x.x 8443 x.x.x.x 443 netmask 255.255.255.255

But doing it from the outside is what I am not understanding as I will not need to NAT the address as the traffic is already allowed to that server on that port.

Thanks in advance,

Chris

varrao · ‎10-21-2011

No No No, thats not what it means.

It means, this static statement is for the destination, if a request coming from outside but going to the server x.x.x.x on inisde at port 443, woudl be re-directed to ip x.x.x.x (whihc is same in our case) and on port 8443.

This nat statement doesn't change your originating ip.

Let me know if you have any questions for me.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-21-2011

Hi Chris,

It adds the netmask it self, if you add the statement:

static (inside,outside) tcp x.x.x.x 443 x.x.x.x 8443

and then do:

show run static

You would see the firewall would add the netmask itself.

Glad I could help.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-21-2011

Hi Chris,

You would need this static statement:

static (inside,outside) tcp 443 8443 netmask 255.255.255.255

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

Hi Varun,

As I said, I don't know the public IP as this is allowed from anyone in the world. It is a web service and should be open to anyone. I also do not want to change the IP, the range I spoke of initialy, x.x.x.x is a publicly routable IP address.

So basically I want the following:

-Anyone on the internet from any IP to be able to contact x.x.x.x on port 443

-This request will be accepted

-Port will be changed to 8443 before reaching the server

-The IP address of the requestor will never change, nor will the IP address of the server (x.x.x.x)

Thanks,

Chris

varrao · ‎10-21-2011

Hi Chris,

Let me know if I am wrong:

1. Public ip of server is x.x.x.x

2. The server lies on the inside interface of the ASA

3. Users are connecting on port 443 and needs to be redirected to 8443.

Questions:

1. What is the private ip of the server.

2. Have you assigned a public ip directly on the server?

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

Hi Varun,

1. The public IP of the server is x.x.x.x. This is only IP the server has, we are not using private addresses.

2. The server is on the inside of the inside interface of the ASA.

3. Yes, users are connecting on port 443 and needs to be redirected to 8443.

Answers:

1. There is no private IP on the server as we are not using private addresses anywhere on the network.

2. The public IP has been assigned directly on the NIC of the server.

Hope that has made it clearer.

Thanks,

Chris

varrao · ‎10-21-2011

Then you need to use this:

static (inside,outside) tcp x.x.x.x 443 x.x.x.x 8443

This should do the port redirection for the server.

Thanks,

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

The way I understand that is that it will change anything coming from the inside from port 8443 to the outside on port 8443. Is that not why it reference inside first in the statement you sent me?

static (inside,outside) tcp x.x.x.x 443 x.x.x.x 8443

I need to change the port for traffic coming from the outside interface instead, without changing the originating IP address.

User on internet (outside) IP y.y.y.y tries to connect to server on inside x.x.x.x on port 443. The firewall changes the port to 8443 before it gets to the server.

Thanks,

Chris

varrao · ‎10-21-2011

No No No, thats not what it means.

It means, this static statement is for the destination, if a request coming from outside but going to the server x.x.x.x on inisde at port 443, woudl be re-directed to ip x.x.x.x (whihc is same in our case) and on port 8443.

This nat statement doesn't change your originating ip.

Let me know if you have any questions for me.

Thanks,

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

So does that mean that regardless of which way the traffic is going the port will be changed? i.e.

from outside to inside 443 -> 8443

from inside to outside 8443 -> 443

Also, you never used a netmask after the statement, why not?

Thanks for the help!

varrao · ‎10-21-2011

Absoluetly

Return packets would also be converted back to port 443 when leaving the ASA.

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

Perfect! Thanks

How about the fact that you never used the netmask statement e.g.

static (inside,outside) tcp x.x.x.x 443 x.x.x.x 8443 netmask 255.255.255.255

Why is that?

Thanks,

Chris

varrao · ‎10-21-2011

Hi Chris,

It adds the netmask it self, if you add the statement:

static (inside,outside) tcp x.x.x.x 443 x.x.x.x 8443

and then do:

show run static

You would see the firewall would add the netmask itself.

Glad I could help.

Thanks,

Varun

Thanks,
Varun Rao

chris · ‎10-21-2011

Thanks again, you were a lot of help!

Chris