04-02-2014 06:48 PM - edited 03-11-2019 09:01 PM
Hi,
I'm stuck, here is what i need:
host1: 192.168.1.1 service tcp/443>>>>> public ip 1.1.1.1 service tcp/443
host1: 192.168.1.1 service tcp/80>>>>> public ip 1.1.1.1 service tcp/80
host2: 192.168.1.2 service tcp/22 >>>>> public ip 1.1.1.1 service tcp/22
host2: 192.168.1.2 service tcp/25 >>>>> public ip 1.1.1.1 service tcp/25
So people from remote just need to use 1.1.1.1 public ip to access all the ports on two different inside devices.
I will also need port 80 and 22 for other access through/to the firewall, such as ssh to manage it and i have a web page on a different public ip.
I am using an ASA 5540 with software 8.4(3).
Any help would be appreaciated.
Thanks
04-03-2014 08:18 AM
Here's one way to do it. Create the objects and create the NAT mappings.
object network host1_tcp443
host 192.168.1.1
nat (inside,outside) static interface service tcp 443 443
object network host1_tcp80
host 192.168.1.1
nat (inside,outside) static interface service tcp 80 80
object network host2_tcp22
host 192.168.1.2
nat (inside,outside) static interface service tcp 22 22
object network host2_tcp25
host 192.168.1.2
nat (inside,outside) static interface service tcp 25 25
access-list outside_in extended permit tcp any host 192.168.1.1 eq 443
access-list outside_in extended permit tcp any host 192.168.1.1 eq 80
access-list outside_in extended permit tcp any host 192.168.1.2 eq 22
access-list outside_in extended permit tcp any host 192.168.1.2 eq 25
access-group outside_in in interface outside
Service NAT mappings are done via protocol, then the REAL port, then the NAT port. So if you wanted to open up port 4343 to port 443 internally your NAT would be static interface service tcp 443 4343
If you want to be able to SSH to the firewall for management you are going to have to use a different port for SSH on the public IP, maybe 2222 and NAT that to 22 internally using the example in the paragraph above.
To do another public IP to another web server you would just create the object, and the nat rule would be nat (inside,outside) static 2.2.2.2 or whatever other public IP you have.
04-04-2014 06:53 AM
Just to add to what John has already mentions.
The commands to allow for SSH are the following:
hostname ASA-1
crypto key generate rsa modulus 2048
ssh 172.16.16.0 255.255.255.0 inside
aaa authentication ssh console LOCAL
username cisco password cisco
enable password cisco123
There is no option to actually change the port for SSH. The ASA should recognize that this is to the box traffic so it should not be affected
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide