05-13-2013 10:27 AM - edited 03-11-2019 06:42 PM
Hey all, any ideas would be great.
Scenario:
ASA has outside interface with a public IP, say 1.1.1.1 (This IP is global natted so people can access the internet, etc)
global (outside) 1 1.1.1.1
I need to open up port 443 for a few external servers to hit a server on our DMZ with a private IP 192.168.100.100.
access-list outside_in extended permit tcp 2.2.2.2 host 1.1.1.1 eq https
access-list outside_in extended permit tcp 2.2.2.3 host 1.1.1.1 eq https
I need all the rest of the traffic to continue to do whatever it is doing.
I am thinking there is some sort of translation I can to do to accomplish this, any ideas?
Clarification....
I have two outside servers, say 2.2.2.2 and 2.2.2.3 they need to access 192.168.100.100 on our DMZ buy using the ASA's outside public ip 1.1.1.1
How can I do this, only diverting traffic from the 2 external servers and not all external servers.
static (DMZ, outside) 1.1.1.1 192.168.100.100 255.255.255.255 wont work as that just translates everything.
Thank you,
David
05-13-2013 11:00 AM
Hi,
You can use the following configuration
static (DMZ,outside) tcp interface https 192.168.100.100 https netmask 255.255.255.255
access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq https
access-list outside_in permit tcp host 2.2.2.3 host 1.1.1.1 eq https
This will essentially forward the port TCP/443 from the ASA "outside" IP address to the "DMZ" IP address of 192.168.100.100. This applies to any source addresses on the public network BUT to be honest it doesnt matter as it doesnt change anything for the "DMZ" or "inside" users you might have.
And additionally the ACL is already controlling which hosts can access this port TCP/443
Hope this helps
Please remember to mark the reply as the correct answer if it was. And/or rate helpfull answers
- Jouni
05-13-2013 11:04 AM
If you for some reason still want to apply this NAT only for those mention public IP addresses then I think the configuration might be something like this
access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.2
access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.3
static (DMZ,outside) tcp interface https access-list DMZ-POLICY-NAT
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide