09-25-2009 08:25 PM - edited 03-11-2019 09:19 AM
Hello,
I have a situation where I am replacing a SonicWall FW with an ASA 5510. I have a several Public IP's assigned to several systems in the DMZ.
For example, the outside interface address is 66.100.0.2
I have OWA (443) on 66.100.0.3 > 10.10.20.3
Sharepoint (443) on 66.100.0.4 > 10.10.20.4
Company WebSite (80) 66.100.0.5 > 10.10.20.5
Public IP's are just examples
Not sure how the SonicWall did it, but we are able to get to all our resources as described above.
Is it possible for the ASA to handle this?
Solved! Go to Solution.
09-26-2009 05:04 AM
State NAT:
static (DMZ,outside) 66.100.0.3 10.10.20.3
static (DMZ,outside) 66.100.0.4 10.10.20.4
static (DMZ,outside) 66.100.0.5 10.10.20.5
or
Static PAT:
static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255
static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255
static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255
You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.
example:
access-list outside-acl permit tcp any host 66.100.0.3 eq 443
access-list outside-acl permit tcp any host 66.100.0.4 eq 443
access-list outside-acl permit tcp any host 66.100.0.5 eq 80
access-g outside-acl in int outside
09-27-2009 08:25 AM
John,
Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.
Piece of cake !!
09-25-2009 11:42 PM
hi, that is possible in ASA
09-26-2009 05:04 AM
State NAT:
static (DMZ,outside) 66.100.0.3 10.10.20.3
static (DMZ,outside) 66.100.0.4 10.10.20.4
static (DMZ,outside) 66.100.0.5 10.10.20.5
or
Static PAT:
static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255
static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255
static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255
You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.
example:
access-list outside-acl permit tcp any host 66.100.0.3 eq 443
access-list outside-acl permit tcp any host 66.100.0.4 eq 443
access-list outside-acl permit tcp any host 66.100.0.5 eq 80
access-g outside-acl in int outside
09-26-2009 06:41 AM
Wow, is it really that easy? How does the traffic even know to get to the ASA from these other public IP's if the outside interface of the ASA is a different Public IP?
Outside is 66.10.0.2
So if I'm a user somewhere and I make a request to 66.10.0.5, how does it know to go to 66.10.0.2 to get there?
Thanks for the help!
09-26-2009 09:34 PM
It's all in the IP Block you got from your ISP. e.g say they give u block 66.39.100.0/29 then u got 6 usable public IPs, 66.39.100.1 - 66.39.100.6, in theory. So all internet traffic destined to any of those 6 IPs will be routed to your location... i.e. https://mail.company.com could reslove to 66.39.100.1 or http://www.company.com could be 66.39.100.2 and 66.39.100.3 could be the outside IP of your ASA etc...... This could also be setup slightly different but i'm sure you got the point.
The ACL actually opens the port for traffic to enter into the ASA from the outside interface as the ASA doesn't allow traffic from a lower security interface (outside) to reach a higher security interface (DMZ, Inside etc) by default...
NAT/PAT statements on the ASA are always confusing to me :) the always seem to be in the wrong order. In simple terms static NAT translates the real address (10.10.10.2) to a mapped address that is routable e.g 66.39.100.2. PAT is slightly different...
These will help understand static nat/pat and ACLs...
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Donavan
09-27-2009 08:25 AM
John,
Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.
Piece of cake !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide