Solved: Multiple external IPs on ASA 5505

GrootLives · ‎11-05-2018

This is a dumbed down version of what I'm trying to do, but if I can get this much figured out I'm golden.

The setup:

- ASA 5505 running 9.2.4(28)

- ISP has assigned block of external IPs 10.0.0.1-10.0.0.14

- ASA's outside interface can "see" traffic on all external IPs

- ASA's outside interface configured for 10.0.0.1

- ASA's inside configured for 192.168.1.1 (255.255.255.0 to keep it simple)

What I need:

- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.

Is this possible? And if so how do I do it (details pretty pretty please with sugar on top).

mkazam001 · ‎11-06-2018

@Rob Ingram

thats interesting! i've always configured it like this:

object network websvr-ext
host 10.0.0.2
object network websvr-int-80
host 192.168.1.20
nat (inside,outside) static websvr-ext service tcp 80 80
object network websvr-int-443
host 192.168.1.20
nat (inside,outside) static websvr-ext service tcp 443 443

access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 80
access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 443

will have to test your config sometime.

regards, mk

View solution in original post

Rob Ingram · ‎11-05-2018

Hi,

Try this:-

object network SRV1
host 192.168.1.20
nat (inside,outside) static 10.0.0.2
access-list OUTSIDE->IN permit tcp any host 192.168.1.20 eq 443
access-list OUTSIDE->IN permit tcp any host 192.168.1.20 eq 80

You will probably have to change the ACL name and possibly also the interface names (inside,outside).

HTH

balaji.bandi · ‎11-05-2018

Good example guide for your reference :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GrootLives · ‎11-05-2018

@GrootLives wrote:

This is a dumbed down version of what I'm trying to do, but if I can get this much figured out I'm golden.

The setup:

- ASA 5505 running 9.2.4(28)

- ISP has assigned block of external IPs 10.0.0.1-10.0.0.14

- ASA's outside interface can "see" traffic on all external IPs

- ASA's outside interface configured for 10.0.0.1

- ASA's inside configured for 192.168.1.1 (255.255.255.0 to keep it simple)

What I need:

- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.

Is this possible? And if so how do I do it (details pretty pretty please with sugar on top).

Looks promising. I'll give it a go tomorrow. Done for the day.

@balaji.bandi wrote:

Good example guide for your reference :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Easy to read to guide. Only uses a single IP though. Have to see if it scales up to multiple IPs. Again I'll check it out tomorrow.

balaji.bandi · ‎11-06-2018

But as per your orginal message