Re: I am Failing to NAT/PAT 2 webservers on port 443 in DMZ, They each have a public IP???

yamikani2g2 · ‎05-29-2020

Good day experts.

I have two webservers in my DMZ, I want them accessible to the world on port 443, They both may require SSH i know i can change this one.

ISP has given me /30 for the outside interface and 2 Public IP addresses as /32 The routing works fine.

I have an issue, as only one server is working, When i add the second one it over rides the other. I cant seem to wrap my head around what is happening.

End Solution, need both Web servers accessible from the outside world on port 443 on their respective Public IP address i have pasted my configs here. IP addresses have been changed but services are the ones.

The IP addresses and Network
********************************
object network HTTPS-SMS01
host 192.168.10.50
object network WWW-SMS01
host 192.168.10.50
object network SSH-SMS01
host 192.168.10.50
object network VAS01-EXT
host 4.4.4.2
object network HTTPS-VAS01-IN
host 192.168.11.50
object network SSH-VAS01-IN
host 192.168.11.50
object network WWW-VAS01-IN
host 192.168.11.50
object network 16088-VAS01-IN
host 192.168.11.50
object network 16089-VAS01-IN
host 192.168.11.50
object network 16090-VAS01-IN
host 192.168.11.50
object network 8080-VAS01-IN
host 192.168.11.50

object network 01-EXT
host 4.4.4.1

The NATing og the IP addresses above
**************************************************************

object network HTTPS-01
nat (DMZ,OUTSIDE) static 01-EXT service tcp https https
object network WWW-01
nat (DMZ,OUTSIDE) static 01-EXT service tcp www www
object network SSH-01
nat (DMZ,OUTSIDE) static 01-EXT service tcp ssh ssh
object network HTTPS-01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp https https
object network SSH-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp ssh ssh
object network WWW-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp www www
object network 6088-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp 16088 16088
object network 6089-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp 16089 16089
object network 6090-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp 16090 16090
object network 8080-VAS01-IN
nat (DMZ2,OUTSIDE) static VAS01-EXT service tcp 8080 8080
object network VAS01-INET
nat (DMZ2,OUTSIDE) dynamic interface

ACL permiting traffic
************************************************************

access-list world_in extended permit tcp any object HTTPS-01 eq https
access-list world_in extended permit tcp any object WWW-01 eq www
access-list world_in extended permit tcp any object SSH-01 eq ssh
access-list world_in extended permit tcp any object HTTPS-VAS01-IN eq https
access-list world_in extended permit tcp any object WWW-VAS01-IN eq www
access-list world_in extended permit tcp any object SSH-VAS01-IN eq ssh
access-list world_in extended permit tcp any object 6088-VAS01-IN eq 16088
access-list world_in extended permit tcp any object 6089-VAS01-IN eq 16089
access-list world_in extended permit tcp any object 6090-VAS01-IN eq 16090
access-list world_in extended permit tcp any object 8080-VAS01-IN eq 8080

access-group world_in in interface OUTSIDE

caroldso · ‎06-03-2020

Hi,

I see a lot of mismatch in the object network names under "The IP addresses and Network" and "The NATing og the IP addresses above".

However, please provide the output of the packet tracer command for the server that is not working. It would give more insight. Please find the syntax as below:

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed]

which in your case would be:

packet-tracer input OUTSIDE tcp <any public IP say 8.8.8.8> <random port say 1234> <public IP of the server not working> 443 detailed