Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
2
Replies

Diverting some traffic from the ASA's public IP, to the DMZ

David Tamburin
Level 1
Level 1

‎05-13-2013 10:27 AM - edited ‎03-11-2019 06:42 PM

Hey all, any ideas would be great.

Scenario:

ASA has outside interface with a public IP, say 1.1.1.1  (This IP is global natted so people can access the internet, etc)

global (outside) 1 1.1.1.1

I need to open up port 443 for a few external servers to hit a server on our DMZ with a private IP 192.168.100.100.

access-list outside_in extended permit tcp 2.2.2.2 host 1.1.1.1 eq https

access-list outside_in extended permit tcp 2.2.2.3 host 1.1.1.1 eq https

I need all the rest of the traffic to continue to do whatever it is doing.

I am thinking there is some sort of translation I can to do to accomplish this, any ideas?

Clarification....

I have two outside servers, say 2.2.2.2 and 2.2.2.3 they need to access 192.168.100.100 on our DMZ buy using the ASA's outside public ip 1.1.1.1

How can I do this, only diverting traffic from the 2 external servers and not all external servers.

static (DMZ, outside) 1.1.1.1 192.168.100.100 255.255.255.255 wont work as that just translates everything.

Thank you,

David

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎05-13-2013 11:00 AM

Hi,

You can use the following configuration

static (DMZ,outside) tcp interface https 192.168.100.100 https netmask 255.255.255.255

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq https

access-list outside_in permit tcp host 2.2.2.3 host 1.1.1.1 eq https

This will essentially forward the port TCP/443 from the ASA "outside" IP address to the "DMZ" IP address of 192.168.100.100. This applies to any source addresses on the public network BUT to be honest it doesnt matter as it doesnt change anything for the "DMZ" or "inside" users you might have.

And additionally the ACL is already controlling which hosts can access this port TCP/443

Hope this helps

Please remember to mark the reply as the correct answer if it was. And/or rate helpfull answers

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 11:04 AM

If you for some reason still want to apply this NAT only for those mention public IP addresses then I think the configuration might be something like this

access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.2

access-list DMZ-POLICY-NAT permit tcp host 192.168.100.100 eq 443 host 2.2.2.3

static (DMZ,outside) tcp interface https access-list DMZ-POLICY-NAT

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card