05-15-2012 04:28 AM - edited 03-11-2019 04:07 PM
Hi there,
Sorry for "spamming" this forum but we're new to the ASA and really want to get the most out of it.
We're running three networks (inside, outside and dmz). Inside is 10.0.1.0/24, dmz is 10.0.2.0/24, outside is a static ip allocated by our ISP. We'd like to configure the following:
All traffic from the outside to [static provider ip] on port 80 should go to 10.0.2.200 port 8080.
What do we have to configure to do so?
05-15-2012 04:44 AM
I'd suggest using the wizards built into the ASA configuration GUI (ASDM). You will generally need 1. a NAT rule to translate your internal address to an external one and 2. an access-list rule to allow exteranlly initiated requests to come through the firewall.
05-15-2012 04:47 AM
Marvin, could you possibly provide the command line commands for doing exactly this?
05-15-2012 05:58 AM
Anybody? This is pretty urgent... we need to make the web server listening on port 8080 on the dmz network available to outside requests coming in on port 80 of the public IP address. Please, everything we tried failed so far.
05-15-2012 06:13 AM
Hi ralf,
Follow this:
object network provider_ip
host 1.1.1.1
object network private_ip
host 10.0.2.200
object service tcp_80
service tcp destination eq 80
object service tcp_8080
service tcp destination eq 8080
nat (outside,inside) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-15-2012 06:15 AM
Varun,
His server is on DMZ. So NAT rule would need to be:
nat (outside,dmz) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080
Do you agree?
He would also need an access list for the incoming traffic, yes?
05-15-2012 12:04 PM
Hi,
I think below link can hen help you better!!!
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Raj
05-15-2012 06:21 AM
Thanks a lot, again!
The web server is not on the inside network but on the dmz. Can I just replace every occurrence of inside with dmz in the above?
Sent from Cisco Technical Support iPhone App
05-15-2012 06:22 AM
Also, do we need any form of acl / firewall rule in addition the the above?
Sent from Cisco Technical Support iPhone App
05-15-2012 06:37 AM
Oooopss, sorry missed that...Thanks Marvin for the sharp eye , yes Ralf you would also need he access-list on outside interface, make sure you include the private ip of the server on that access-list and allow for port 8080.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-15-2012 06:50 AM
Varun, would you mind giving me the exact command for the access list(s)? Really don't want to trial-and-error anymore...
Sent from Cisco Technical Support iPhone App
05-15-2012 06:54 AM
Now I am just assuming the name of the access-list on the outside interface, you can change it accordingly:
access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-15-2012 07:19 AM
show access-list outputs the following. Is it safe to assume that I can just enter the above command exactly as it is?
gcxfw# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
05-15-2012 07:43 AM
Well if you dont have any access-list applied on the ASA then this is the complete syntax for it:
access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080
access-group outside_access_in in interface outside
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-15-2012 11:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide