02-09-2012 09:51 AM - edited 03-11-2019 03:26 PM
ASA newb here. This question has been asked before but the configurations seem to be different so they don't really answer my question. I think mine is pretty simple but I can't find a clear "this is what you do" answer. I've been reading the Cisco doc's trying to figure it out but they have so many different scenarios and examples that its a little overwhelming. Plus none of the seem to match mine 100%.
ASA 8.4
I have 6 public ip addresses and want to use 2 of them. I have two servers running an application that needs port 1234 accesable externally for updates. Can't change port numbers and obviously can't route 1234 two different places.
Say my range is 4.4.4.4 to 4.4.4.10. I want to use 4.4.4.4 and 4.4.4.5. My network currently looks like so:
4.4.4.4 <--> ASA <--> 192.168.0.0/24
I want:
4.4.4.4,4.4.4.5 <--> ASA <--> 192.168.0.0/24
Any ideas?
02-09-2012 09:58 AM
Steve,
What are you trying to do by having two IP addresses on the outside interface? Is this just for the servers? Depending on what you are trying to do, there are a couple of ways to do this.
Please give a little more information and we will be more helpful.
Thanks,
Kimberly
02-09-2012 10:19 AM
Just for the two servers. I have two servers with the same software running on port 1234. They both need to be accessable externally.
02-09-2012 10:43 AM
Steve,
You can do this with a static NAT for your two servers on that specific port. It would look kind of like this:
static (inside,outside) 4.4.4.4 192.168.X.X 1234 netmask 255.255.255.255
static (inside,outside) 4.4.4.5 192.168.X.X 1234 netmask 255.255.255.255
Or if you want to set them up to use the outside interface only on that port you can do that too.
static (inside,outside) tcp interface 1234 192.168.X.X 1234 netmask 255.255.255.255
Thanks,
Kimberly
02-09-2012 11:11 AM
He is running 8.4, so the nat is different.
Create an object for each server inside IP and outside IP, then you create the nat statement to tie them together, then create the outside ACL to allow that port access from any source, the destination will be the REAL ip of the server, not the public IP.
object network server1
host 192.168.1.4
object network server2
host 192.168.1.5
object network server1-outside
host 4.4.4.5
object network server2-outside
host 4.4.4.6
object network server1
nat (inside,outside) static server1-outside
object network server2
nat (inside,outside) static server2-outside
02-09-2012 12:09 PM
I am sorry I totally missed the fact that he is running 8.4. You are so right on the money and this is also why he is getting the errors on the adding the older style static nat.
Thanks and good catch.
Kimberly
02-09-2012 11:40 AM
if i go the object route as tahequivoice suggested i get:
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded
02-09-2012 11:31 AM
i get an error. invalid input detected and the marker is pointing at netmask
02-09-2012 12:15 PM
Use the ASDM it is SO much easier for a NOOB when it comes to 8.3/8.4, In the ASDM under firewll, the right hand window lists the objects. Create the object there as I described, then when all are done, click on the inside server, expand nat, choose static, and select the outside one you want to use. Clieck advanced, then slected the interfaces, and click OKAY
Apply and you should be all set. Dont forget the ACL and use the REAL IP.
02-09-2012 12:16 PM
BTW NooB not meant to offend, EVERY one who goes from 8.2 to 8.3 is a NooB.
02-09-2012 12:36 PM
none taken.
Let me make sure i've got this right. I'll describe what i see in ASDM.
Line 1: Source Intf - inside, Dest Inft - Outside, Source - server2, Destination - any, Service - tcp/1234, Source - server2-outside, Destination - --Orginal--, Service --Original--
Line 2: Source Intf - outside, Dest Intf - inside, Source - any, Destination - server2-outside, Service - tcp/1234, Source --Original--(S), Destination - server 2, Service --Original--
I'm not entering your server1 info because I already have that setup and working.
ACL: Source - any, Destination - 192.168.1.5, Service - tcp/1234, Action - permit
Server2 = 192.168.1.5
Server2-Outside = 4.4.4.6 (my other external address)
02-09-2012 12:40 PM
It sounds right. Do a grab from the CLI and then I can tell if it is correct.
02-09-2012 12:45 PM
object network server2
host 192.168.1.5
object network server2-outside
host 4.4.4.6
nat (inside,backup) static interface service tcp 1234 1234
object network server2
nat (inside,outside) static server2-outside service tcp 1234 1234
02-10-2012 11:18 AM
i can confirm that this works. thanks a bunch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: