Replying to myself, just to

sergiu.panaite · ‎05-09-2016

Hello folks!

This is probably obvious to some of you, but it wasn't to me. On an ASA 5520 running 8.2(4), I intended to have two different lower-security interface IP address/port sets translated to the same internal IP address/port. The logic behind this is that I want the HTTPS service on a single server ('inside', listening on one IP address) to receive HTTPS traffic arriving at two different IP addresses on the 'outside'.

Example config:

static (inside,outside) tcp 192.168.1.1 https 10.10.1.1 https netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.2 https 10.10.1.1 https netmask 255.255.255.255

This is not accepted by the ASA because the second part of the statement (the 'inside' part) is duplicated.

Now, I understand why wouldn't make any sense if it was the other way around (same outside address/port to different inside address/port) as that can't work; but I don't quite see why it doesn't work the way I intended it to above. I've tested the above on another couple of firewalls from different manufacturers and it works on those.

Am I trying to do this wrong? Or is it a Cisco limitation - either a v8.2 or overall ASA faux pas?

Thank you for any help!

Serg

Marius Gunnerud · ‎05-09-2016

This is not possible on an ASA running a version older than 9.3(x). Here you can use traffic zones to allow the ASA to receive traffic on multiple interfaces destined for the same inside host. Earlier versions will drop the traffic due to asymmetric routing.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎05-09-2016

Another option might be to set up the ASA in multiple context mode and then configure ASR groups on the two outside interfaces.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

sergiu.panaite · ‎05-09-2016

Thank you Marius!

The traffic will arrive on the same ('outside') interface, to IPs in the same subnet, therefore I wouldn't be able to create traffic zones nor switch to multiple context mode.

I take it there is no fix for this in a newer version either, right?

Thanks again!

Marius Gunnerud · ‎05-09-2016

You are still talking about having two outside interfaces correct? If so, would you be able to have specific static routing for traffic arriving on the second outside interface? Remember that the ASA does not support two default routes.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

sergiu.panaite · ‎05-09-2016

Hi Marius - no, there is a single outside interface.

On that interface, I would like to NAT+PAT these two:

192.168.1.1:443 and 192.168.1.2:443

To the same inside host:

10.10.1.1:443

None of these three IPs are actually on any of the ASA's interfaces, if that makes a difference. Sorry if I wasn't clear!

Marius Gunnerud · ‎05-09-2016

None of these three IPs are actually on any of the ASA's interfaces, if that makes a difference.

This doesn't make a difference.

This should work fine. So long as the public / outside IPs are different it will work.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

sergiu.panaite · ‎05-10-2016

Replying to myself, just to illustrate what happens:

inet-fw(config)# static (uat_dmz,outside) tcp 192.168.1.1 www 10.10.1.1 www netmask 255.255.255.255
inet-fw(config)# static (uat_dmz,outside) tcp 192.168.1.2 www 10.10.1.1 www netmask 255.255.255.255
ERROR: duplicate of existing static
TCP uat_dmz:10.10.1.1/443 to outside:192.168.1.1/443 netmask 255.255.255.255

It appears that this is a known issue, I found a few more occurrences in the support forums, but no suitable solution yet.

edit: I may be lying; I need to try a static NAT using an ACL to see if that works. Will update soon with my results.

Cisco ASA - static NAT+PAT multiple outside to single inside