Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1445
Views
0
Helpful
22
Replies

Help with PAT on Cisco ASA 5520

whiteford
Level 1
Level 1

‎12-16-2008 07:54 AM - edited ‎03-11-2019 07:26 AM

Hi,

I have a Cisco ASA 5520 and wonder if this is possible.

We have a server (172.24.10.13) on a VLAN off our 5520 that needs to connect to a SQL server (192.168.200.5) on the inside. No problem there, but I they want the VLAN server to user port 9999 instead of 1433 for SQL but want the inside SQL server to "see" the 9999 port traffic as 1433, possible?

I thought there might be a way to translate traffic sent as TCP 9999 to TCP 1433 before it his 192.168.200.5.

Labels:
0 Helpful
22 Replies 22

Collin Clark
VIP Alumni
VIP Alumni

‎12-16-2008 10:34 AM

Sure, it's call a port translation. Below is an example. Here we translate port 8080 on a public IP to port 80 on the inside web server.

static (inside,outside) tcp 69.222.73.5 8080 192.168.1.20 80 netmask 255.255.255.255

Hope that helps.

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 11:51 AM

Thanks, I guess I will just need to add an access list for this aswell? Like an allow any to 69.222.73.5 to 8080?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 11:53 AM

Yep, you got it.

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 12:59 PM

hmm, still having no luck.

I added:

static (DMZ_Web_Servers,inside) tcp 192.168.200.5 1433 172.24.10.13 9877 netmask 255.255.255.255

then added an access list to allow 172.24.10.13 to 192.168.200.5 on port 9877

I then tried to telnet to "192.168.200.5 9877" and it failed.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 01:06 PM

In your NAT statement your DMZ client is looking to 172.24.10.13 on port 9877 for SQL access. Is that correct? If so can you check your log when it fails?

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 01:21 PM

My DMZ client is 172.24.10.13 and needs to use TCP 9877 to the inside server 192.168.200.5 and PAT to TCP 1433

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 01:39 PM

Do you NAT between your DMZ or route?

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 01:43 PM

I NAT

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 01:50 PM

You'll need a new NAT address that translates to the inside. Something like this-

static (DMZ_Web_Servers,inside) tcp [new NAT IP] 9877 192.168.200.5 1433 netmask 255.255.255.255

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 01:54 PM

I see, so I can't use the IP of teh DMZ server I need to use this PAT and only server can use this?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 01:56 PM

Yes, but anyone can use it, you'll restrict that with the ACL.

0 Helpful

whiteford
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 02:00 PM

So I can use a random IP address from from the DMZ sunbet that is not in use?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to whiteford

‎12-16-2008 02:02 PM

Most people setup a special subnet just for NAT, but if you didn't then grabbing a local IP should work. However your current NAT's are setup.

0 Helpful

curhed
Level 1
Level 1
In response to Collin Clark

‎12-16-2008 02:19 PM

Hi, just got curious, but shouldn't you have your static and acl statements like this?

static (inside, DMZ_Web_Servers) tcp 192.168.200.5 9877 192.168.200.5 1433 netmask 255.255.255.255

then add acl to (DMZ-int in) permit tcp host 172.24.10.13 host 192.168.200.5 eq 9877

This is just what I understood from the 1st post...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card