Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2255
Views
0
Helpful
10
Replies

Help with Address translation/Port Forwarding

Go to solution
jasongring
Level 1
Level 1

‎11-01-2011 07:20 AM - edited ‎03-11-2019 02:45 PM

I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ.  In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ.  My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.

Any help would be appreciated.  I posted two graphics from the mitel border gateway config guide.

thanks!

Labels:
Preview file
76 KB
Preview file
80 KB
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to jasongring

‎11-01-2011 08:40 AM

Sorry try Policy Static PAT.

access-list MBG1 permit tcp host IP2 eq 443 any

static (DMZ,outside) tcp IP3 443 access-list MBG1

access-list MBG2 permit tcp host IP2 eq 4443 any

static (DMZ,outside) tcp IP4 443 access-list MBG2

View solution in original post

0 Helpful

Go to solution
caseth0102
Level 1
Level 1
In response to acomiskey

‎11-01-2011 02:05 PM

Hi-

I briefly looked at the diagram you uploaded, and assuming your main goal here is to use a single IP to PAT to 2 different destination IP's please use the following. After you modify and drop the script, run the 'sh xlate' command and this will show the translation slots created. Let me know how it works out, thanks.

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host 1.1.1.1 eq 443

access-list outside permit tcp any host 1.1.1.1 eq 4443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.20 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (inside,outside) tcp interface 443 access-list pat-acl-1a

static (inside,outside) tcp interface 4443 access-list pat-acl-1b

!

!---end

View solution in original post

0 Helpful

Go to solution
caseth0102
Level 1
Level 1
In response to jasongring

‎11-01-2011 02:33 PM

Hi-

Sorry, only briefly looked at the diagram. I'm not real clear on your requirements, but the see the revised below. Thanks

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host %public IP 1% eq 443

access-list outside permit tcp any host %public IP 2% eq 443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.10 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (dmz,outside) tcp %public IP 1% 443 access-list pat-acl-1a

static (dmz,outside) tcp %public IP 2% 4443 access-list pat-acl-1b

!

!---end

View solution in original post

0 Helpful
10 Replies 10

Go to solution
acomiskey
Level 10
Level 10

‎11-01-2011 08:10 AM

Looks like this is what you would need to set up the translations.

webtraffic

static (DMZ,outside) IP3 IP2 netmask 255.255.255.255

collabtraffic

static (DMZ,outside) tcp IP4 443 IP2 4443 netmask 255.255.255.255

0 Helpful

Go to solution
jasongring
Level 1
Level 1
In response to acomiskey

‎11-01-2011 08:21 AM

I tried that and I get an error about a conflict with existing static.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jasongring

‎11-01-2011 08:40 AM

Sorry try Policy Static PAT.

access-list MBG1 permit tcp host IP2 eq 443 any

static (DMZ,outside) tcp IP3 443 access-list MBG1

access-list MBG2 permit tcp host IP2 eq 4443 any

static (DMZ,outside) tcp IP4 443 access-list MBG2

0 Helpful

Go to solution
jasongring
Level 1
Level 1
In response to acomiskey

‎11-01-2011 10:11 AM

Im a bit confused by this, i create two access list one for each outside facing address, and allow 443 access to each of them, i think create two static nat entries that nat the outside ip's to the access-lists?

0 Helpful

Go to solution
jasongring
Level 1
Level 1
In response to acomiskey

‎11-01-2011 12:57 PM

Where would the ACL's get applied currently i have MBG1 and MBG to allowing 443 access on the outside interface, would your suggestion then put the ACLs on the DMZ interface?

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jasongring

‎11-01-2011 01:33 PM

Your existing acl's on the outside interface would not change. Don't confuse the acl's as part of the policy pat with acl's applied to your outside interface, they are totally separate.

The policy static pat statements (static and acl together) are saying that any traffic arriving at the outside interface destined for IP3 on port 443 should be forwarded to IP2 on port 443.

The other is saying that any traffic arriving at the outside interface destined for IP4 on port 443 should be forwarded to IP2 on port 4443.

0 Helpful

Go to solution
caseth0102
Level 1
Level 1
In response to acomiskey

‎11-01-2011 02:05 PM

Hi-

I briefly looked at the diagram you uploaded, and assuming your main goal here is to use a single IP to PAT to 2 different destination IP's please use the following. After you modify and drop the script, run the 'sh xlate' command and this will show the translation slots created. Let me know how it works out, thanks.

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host 1.1.1.1 eq 443

access-list outside permit tcp any host 1.1.1.1 eq 4443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.20 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (inside,outside) tcp interface 443 access-list pat-acl-1a

static (inside,outside) tcp interface 4443 access-list pat-acl-1b

!

!---end

0 Helpful

Go to solution
jasongring
Level 1
Level 1
In response to caseth0102

‎11-01-2011 02:09 PM

That's close but I think its backwards, i want two external IP's with the same port 443 open to the outside, to pat to one dmz ip, one for 443 and one for 4443.

0 Helpful

Go to solution
caseth0102
Level 1
Level 1
In response to jasongring

‎11-01-2011 02:33 PM

Hi-

Sorry, only briefly looked at the diagram. I'm not real clear on your requirements, but the see the revised below. Thanks

!---start

!

!-be sure to modify where appropriate (ie. interface names, IP addy's, and ACL)

!

!-below is the ACL bound to the outside 'public' interface @1.1.1.1

access-list outside permit tcp any host %public IP 1% eq 443

access-list outside permit tcp any host %public IP 2% eq 443

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.1.10 eq 443 any

access-list pat-acl-1b extended permit tcp host 192.168.1.10 eq 4443 any

!

!-below are the static PAT statements referencing the above ACL

static (dmz,outside) tcp %public IP 1% 443 access-list pat-acl-1a

static (dmz,outside) tcp %public IP 2% 4443 access-list pat-acl-1b

!

!---end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card