Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
0
Helpful
4
Replies

Many to One/Many "PAT" Translation with ASA and Load Balancer?

Go to solution
BrianChernish
Level 1
Level 1

‎11-23-2011 08:32 AM - edited ‎03-11-2019 02:54 PM

I am not sure if I am using the right terminology to describe this, but here is what I am trying to do. I have a single load balancer and I would like to be able to redirect traffic to 3 separate silos of Terminal Servers (Silo A, Silo B and Silo C), based on the public IP that an external user specifies in their TS Client.

For example:

I have 3 public IPs (69.xxx.xxx.001, 69.xxx.xxx.002 and 69.xxx.xxx.003) which users can enter into a TS Client. Traffic from the TS Clients will arrive at my ASA destined for TCP Port 3389 in all 3 cases.

I have a Load Balancer which has a single Private IP Address (10.1.1.207). I have the Load Balancer configured to send traffic which is destined for 69.xxx.xxx.001 for TCP Port 3389 needs to go to “Silo A”. Traffic which is destined for 69.xxx.xxx.002 TCP Port 3390 needs to go to “Silo B” and traffic which arrives for 69.xxx.xxx.003 TCP Port 3391 needs to go to “Silo C”.

So what I would like to configure the ASA to do is to “Translate” traffic from the Public side of my ASA as follows:

69.xxx.xxx.001 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3389 (Silo A)
69.xxx.xxx.002 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3390 (Silo B)
69.xxx.xxx.003 on TCP Port 3389 to be directed to 10.1.1.207 – TCP Port 3391 (Silo C)

My typical “One to One” NAT looks something like this:

static (inside,outside) 69.xxx.xxx.xxx 10.1.1.xxx netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 69.xxx.xxx.xxx eq 3389

I cannot seem to find a way to include Port Translation in the “static” command and I obviously cannot simply point 3 different Public IPs at a single Private IP and then do the “translation” within the access-list.

Any assistance is appreciated!

Brian

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-23-2011 09:36 AM

Hello,

The port-forwarding got to be like this:

static (inside,outside) tcp 69.xxx.xxx.xxx 3389 10.1.1.xxx 3389

static (inside,outside) 69.xxx.xxx.xxx 3389 10.1.1.xxx  3390

static (inside,outside) 69.xxx.xxx.xxx 338910.1.1.xxx 3391

That is all you need, by the way you are using 3 different publics rigth??

Please rate helpful post.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to BrianChernish

‎11-23-2011 10:42 AM

Hello,

Yes, that is all you need point the access-list to the 3 different public IP address on their respective port.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-23-2011 09:36 AM

Hello,

The port-forwarding got to be like this:

static (inside,outside) tcp 69.xxx.xxx.xxx 3389 10.1.1.xxx 3389

static (inside,outside) 69.xxx.xxx.xxx 3389 10.1.1.xxx  3390

static (inside,outside) 69.xxx.xxx.xxx 338910.1.1.xxx 3391

That is all you need, by the way you are using 3 different publics rigth??

Please rate helpful post.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
BrianChernish
Level 1
Level 1
In response to Julio Carvajal

‎11-23-2011 10:21 AM

Thanks for the reply Julio, that part seems to be acceptable to the ASA (no errors!).

Will I have to do something special with the access list based on the translation?  Will this work, or will I need to somehow reference the 3 different TCP Ports in the 3 access lists?:

access-list outside_access_in extended permit tcp any host 69.xxx.xxx.xxx eq 3389

I would have the above access list for each of the "public IPs".

Brian

0 Helpful

Go to solution
BrianChernish
Level 1
Level 1
In response to Julio Carvajal

‎11-23-2011 10:25 AM

Sorry, I missed your question, but yes, I have 3 different Public IPs.

Brian

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to BrianChernish

‎11-23-2011 10:42 AM

Hello,

Yes, that is all you need point the access-list to the 3 different public IP address on their respective port.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card