cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1444
Views
0
Helpful
22
Replies

Help with PAT on Cisco ASA 5520

whiteford
Level 1
Level 1

Hi,

I have a Cisco ASA 5520 and wonder if this is possible.

We have a server (172.24.10.13) on a VLAN off our 5520 that needs to connect to a SQL server (192.168.200.5) on the inside. No problem there, but I they want the VLAN server to user port 9999 instead of 1433 for SQL but want the inside SQL server to "see" the 9999 port traffic as 1433, possible?

I thought there might be a way to translate traffic sent as TCP 9999 to TCP 1433 before it his 192.168.200.5.

22 Replies 22

Hi.

Well the server on 172.24.10.13 in the DMZ needs to access the SQL server on 192.168.200.5 on the inside on TCP Port 9877, however 192.168.200.5 is only receiving traffic on TCP port 1433 from 172.24.10.13 so we need to PAT 9877 somehow.

I thought that's what you wanted? The DMZ server thinks SQL is running on port 9877, but it's really running on 1433 on the inside host. The NAT statement translates port 9877 to 1433. Please correct my thinking.

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Most places (at least that I see) do not NAT between the DMZ and the inside network, they just route. NAT will work but it just makes it more confusing and harder to troubleshoot! The NAT can really be in any subnet, the firewall just needs to know that it is responsible for the IP or subnet. If you're unsure if you're NATing between DMZ and inside, post your NAT, Global, and statics statements.

Thanks, should this NAT be turned off on the ASA, if so how? I would much prefer this to be easier :)

Look for a nat 0 statement or you could be translating the internal subnet or just IP's.

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

or

static (inside,dmz) 192.168.200.5 192.168.200.5 netmask 255.255.255.255

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

You are right, I have 2 answers which are different.

I will test with yours today, the only bit that confused me (only be I bet as usual) was the part about using a new IP for the NAT that is not inuse. Does it have to be an IP in the same subnet as the DMZ VLAN - 172.24.10x?

Review Cisco Networking for a $25 gift card