Help on a NAT question

mtehonica · ‎05-04-2012

I thought this would be simple at first but I seem to be getting a little stuck on it. I need to forward ports 80,443,51111 to internal hosts. 80 and 443 need to go to my web server (192.168.5.15) while 51111 needs to go to another server (192.168.5.91). All requests are coming in on public static IP 96.249.x.x. I have 80 and 443 working fine to my web server but can't wrap my head around how to forward 51111 to a different host accessed by the same public IP. Any help would be greatly appreciated.

Here are the important parts of my config:

interface Vlan2

description Connection to Primary ISP (FiOS)

nameif primaryisp

security-level 0

ip address 96.249.x.x 255.255.255.248

!

interface Vlan5

description Connection to internal internet access subnet (192.168.5.0/24)

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

object network asp-wss-3-vz

host 192.168.5.15

access-list outside_access_in_1 remark Access list to allow outside traffic in

access-list outside_access_in_1 remark **********

access-list outside_access_in_1 remark Allow traffic into Web Server on 80 and 443

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-vz eq https

access-list outside_access_in_1 remark **********

object network asp-wss-3-vz

nat (inside,primaryisp) static 96.249.x.x

Thanks in advanced!

Dan-Ciprian Cicioiu · ‎05-04-2012

Hi,

You might try :

object network OTHER

host 192.168.5.91

nat (inside,primaryisp) static interface service tcp 51111 51111

object network WEB-HTTP

host 192.168.5.15

nat (inside,primaryisp) static interface service tcp www www

object network WEB-HTTPS

host 192.168.5.15

nat (inside,primaryisp) static interface service tcp https https

Dan

mtehonica · ‎05-04-2012

Thanks. I ended up getting it to work using that method. Anyone know of a better way though? I have 3 servers that run http and https, 1 server that needs 51111 and 2 ISPs (primary/backup using ip sla). That means I have like 14 objects and nat rules and access list rules. See below...

object network asp-wss-3-http-tw

host 192.168.5.15

object network asp-wss-3-http-vz

host 192.168.5.15

object network vpn-ip-pool

subnet 10.0.0.0 255.255.255.0

object network my-mgmt

subnet 172.16.20.0 255.255.255.0

object network inside172

subnet 172.16.2.0 255.255.255.0

object network asp-sc-1-http-tw

host 192.168.5.21

object network asp-sc-1-http-vz

host 192.168.5.21

object network asp-sc-2-http-tw

host 192.168.5.24

object network asp-sc-2-http-vz

host 192.168.5.24

object network asp-wss-3-https-tw

host 192.168.5.15

object network asp-wss-3-https-vz

host 192.168.5.15

object network asp-sc-1-https-tw

host 192.168.5.21

object network asp-sc-1-https-vz

host 192.168.5.21

object network asp-sc-2-https-tw

host 192.168.5.24

object network asp-sc-2-https-vz

host 192.168.5.24

object network asp-routerpc-tw

host 192.168.5.91

object network asp-routerpc-vz

host 192.168.5.91

access-list outside_access_in_1 remark Access list to allow outside traffic in

access-list outside_access_in_1 remark **********

access-list outside_access_in_1 remark Allow traffic into Web Server on 80 and 443

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-http-tw eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-https-tw eq https

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-http-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-wss-3-https-vz eq https

access-list outside_access_in_1 remark **********

access-list outside_access_in_1 remark Allow access into sc-1 on 80 and 443

access-list outside_access_in_1 extended permit tcp any object asp-sc-1-http-tw eq www

access-list outside_access_in_1 extended permit tcp any object asp-sc-1-https-tw eq https

access-list outside_access_in_1 extended permit tcp any object asp-sc-1-http-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-sc-1-https-vz eq https

access-list outside_access_in_1 remark **********

access-list outside_access_in_1 remark Allow access into sc-2 on 80 and 443

access-list outside_access_in_1 extended permit tcp any object asp-sc-2-http-tw eq www

access-list outside_access_in_1 extended permit tcp any object asp-sc-2-https-tw eq https

access-list outside_access_in_1 extended permit tcp any object asp-sc-2-http-vz eq www

access-list outside_access_in_1 extended permit tcp any object asp-sc-2-https-vz eq https

access-list outside_access_in_1 remark **********

access-list outside_access_in_1 remark Allow traffic to Lukes Router program on port 51111

access-list outside_access_in_1 extended permit tcp any object asp-routerpc-tw eq 51111

access-list outside_access_in_1 extended permit tcp any object asp-routerpc-vz eq 51111

access-list outside_access_in_1 remark **********

object network asp-wss-3-http-tw

nat (inside,backupisp) static 208.125.x.x service tcp www www

object network asp-wss-3-http-vz

nat (inside,primaryisp) static 96.249.x.x service tcp www www

object network asp-sc-1-http-tw

nat (inside,backupisp) static 208.125.x.x service tcp www www

object network asp-sc-1-http-vz

nat (inside,primaryisp) static 96.249.x.x service tcp www www

object network asp-sc-2-http-tw

nat (inside,backupisp) static 208.125.x.x service tcp www www

object network asp-sc-2-http-vz

nat (inside,primaryisp) static 96.248.x.x service tcp www www

object network asp-wss-3-https-tw

nat (inside,backupisp) static 208.125.x.x service tcp https https

object network asp-wss-3-https-vz

nat (inside,primaryisp) static 96.249.x.x service tcp https https

object network asp-sc-1-https-tw

nat (inside,backupisp) static 208.125.x.x service tcp https https

object network asp-sc-1-https-vz

nat (inside,primaryisp) static 96.249.x.x service tcp https https

object network asp-sc-2-https-tw

nat (inside,backupisp) static 208.125.x.x service tcp https https

object network asp-sc-2-https-vz

nat (inside,primaryisp) static 96.248.x.x service tcp https https

object network asp-lukerouterpc-tw

nat (inside,backupisp) static 208.125.x.x service tcp 51111 51111

object network asp-lukerouterpc-vz

nat (inside,primaryisp) static 96.249.x.x service tcp 51111 51111