thanks, will the static nat with port forwarding look like below;

static (inside,outside) tcp interface 21 10.96.10.95 21 netmask 255.255.255.255

static (inside,outside) tcp interface 9100 10.96.10.95 9100 netmask 255.255.255.255

Please suggest.

Hello,

I think this is correct configuration.

static (inside,outside) tcp interface 20000 10.96.10.95 21 netmask 255.255.255.255

static (inside,outside) tcp interface 20001 10.96.10.90 21 netmask 255.255.255.255

static (inside,outside) tcp interface 20002 10.96.10.95 9100 netmask 255.255.255.255

static (inside,outside) tcp interface 20003 10.96.10.90 9100 netmask 255.255.255.255

Also do not forget to allow particular ports in outside in ACL.

Best Regards

Please rate all helpful posts and close solved questions

I tried this but doesn't work. Saw that simply using static (inside,outside) tcp interface 21 10.96.10.95 21 netmask 255.255.255.255 doesn't work as when we use the same statement for the second private ip 10.96.10.90 , it gives an error saying in use or so.

probably as the interface ip is been in use by other private ip address.

Then i tried putting an access list for this. but after invoking the access list  name in the static statement, it gives errors.

access-list traffic line 1 extended permit tcp any eq ftp host 10.96.10.90 eq ftp

static (inside,outside) tcp interface ssh access-list traffic netmask 255.255.255.255

gives an error which says ; invalid option netmask, but i do see the netmask option for the static command.

Appreciate help on how to do this.

Message was edited by: sunny thomas

Saw that simply using static (inside,outside) tcp interface 21  10.96.10.95 21 netmask 255.255.255.255 doesn't work as when we use the  same statement for the second private ip 10.96.10.90 , it gives an error  saying in use or so.

Surely it doesn't work. How do you think ASA sould distinguish to what internal host forward traffic, if both configured with the same public ip/port.

Blau has provided working configuration. When accessing those servers from outside, you should use corresponding ports (i.e.20001 -20003). Plus, you should allow access from the outside to those port numbers in the ACL, applied to the outside itnerface.

I have allowed ACL for these traffic on the outside interface.

The problem is with static configurations for inbound nat. this is where i get errors.

I tried using following;

static(inside,outside) tcp interface 21 10.96.10.90 21 netmask 255.255.255.255

static(inside,outside) tcp interface 9100 10.96.10.90 9100 netmask 255.255.255.255

static(inside,outside) tcp interface 21 10.96.10.95 21 netmask 255.255.255.255

static(inside,outside) tcp interface 9100 10.96.10.95 9100 netmask 255.255.255.255

When doing this, it says the static in already in use for the ip or so. possibly because the same ip is used for different statements.

I had the corresponding acl's configured on the outside interface for allowing these traffic.

in this case, how should i be making it work?

thanks in advance.

Looks like you're not reading what was previosly posted))

You've got this:

static(inside,outside) tcp interface 21 10.96.10.90 21 netmask 255.255.255.255

static(inside,outside) tcp interface 21 10.96.10.95 21 netmask 255.255.255.255

Let's say that ASA allowed you to input those two.

Now, say traffic from the outside comes to the 201.203.22.50 (yor outside interface) on port 21.

How do you think ASA should behave? Should it forward traffic to 10.96.10.90 or to 10.96.10.95?

So, in your case config should look at least like this

static(inside,outside) tcp interface 20001 10.96.10.90 21 netmask 255.255.255.255

static(inside,outside) tcp interface 9100 10.96.10.90 9100 netmask 255.255.255.255

static(inside,outside) tcp interface 21 10.96.10.95 21 netmask 255.255.255.255

static(inside,outside) tcp interface 9100 10.96.10.95 9101 netmask 255.255.255.255

Now, when traffic comes to the 201.203.22.50/20001, ASA will send it to the 10.96.10.90/21,

and when traffic comes to the 201.203.22.50/21, it'll send it to the 10.96.10.95/21

Same thing for 9100.

Access list on the outside interface should be configured with translated ports. I.e. access to 201.203.22.50/20001 and others should be permitted.

Thanks for the clarification.  I got the crux now.

I am new to this , so my questions are naive. Apologies for that.

let me understand some more here. The ports 21 and 9100 are application ports that are active on the internal ip's 10.96.10.90 & 10.96.10.95.

The first port 20001 in the below statement, refers to the local source port , correct? which means i can use any no. here as it is only a differentiating factor for the incoming traffic towards 10.96.10.91 for ftp port traffic.

Is my understanding above correct? if so, that means i'll have to use some random local port numbers on the static statement for traffic on port 9100 also.

appreciate all help!

Hi,

Look through the below configuration suggested by Blau earlier

static (inside,outside) tcp interface 20000 10.96.10.95 21 netmask 255.255.255.255

static (inside,outside) tcp interface 20001 10.96.10.90 21 netmask 255.255.255.255

static (inside,outside) tcp interface 20002 10.96.10.95 9100 netmask 255.255.255.255

static (inside,outside) tcp interface 20003 10.96.10.90 9100 netmask 255.255.255.255

First we notice that we are doing "static" translation.

Next we notice that we are doing a Static NAT or Static PAT (Port Forward) for a host behind "inside" towards "outside". In other words we wish to translate the "inside" IP address to an IP address on the "outside".

Next we notice the parameter "tcp". This defines that we want to forward some single TCP port. Naturally this could be "udp" also if that was required.

The keyword/parameter "interface" defines that we will be using the public IP address of the "outside" interface. If you had a spare public IP address that you could use you could replace this parameter with the actual public IP address for example.

Next we notice the port 2000x. This port is the port visible to the "outside" users. In other words the user on the "outside" would be connecting using the public IP address of the "outside" interface and using the destination TCP port 2000x.

Next we see the local IP address of the host towards which the above mentioned connectiong would be heading to after the firewall had processed the packet.

And the very last information we tell in the Static PAT configurations which is the real port which is listening on the actual device on the LAN network.

To give a simple example of the format (naturally not the exact format that could be used but one that explains what information the firewall expects you enter)

static (sourceinterface,destinationinterface) netmask 255.255.255.255

Naturally there are variations to this command format. One good example is using the "interface" parameter instead of actual public IP address. But if you only have the public IP address on the firewalls "outside" interface then you can only use the "interface" parameter.

Hope I didnt explain it in a too complicated way.

Hope this helps

- Jouni

thanks again for the reply.

how can we use an access-list with static nat to account for the different statements.

Hi,

When you are doing Static PAT (which is basicly forwarding ports) you dont really need to use any ACL in the NAT statements/configuration.

The ACLs everyone has been referring to are the ones that are attached to interfaces.

For example in this case you should configure an ACL that is attached to your "outside" interface to be able to allow someone from the Internet to connect to the hosts that you have done the Static PAT configurations.

However I am not sure if you already have some ACL attached to the "outside" interface? This can be confirmed with the command "show run access-group". This will list all the attached ACL and tell to which interface each ACL is attached and in which direction the rule is applied.

For example if we were to presume that you wanted to allow traffic from anywhere to these forwarded ports then you could use this kind of ACL

access-list OUTSIDE-IN permit tcp any interface outside eq 20000

access-list OUTSIDE-IN permit tcp any interface outside eq 20001

access-list OUTSIDE-IN permit tcp any interface outside eq 20002

access-list OUTSIDE-IN permit tcp any interface outside eq 20003

access-group OUTSIDE-IN in interface outside

But as I said, I dont know if you have an existing ACL that is attached to the "outside" interface already. If you have then you will configure additional rules to that existing ACL and not create the above ACL named "OUTSIDE-IN"

- Jouni