Re: Port-forwarding for server that will be on different network than inside network of ASA!

chintan0111 · ‎09-20-2017

I have 172.27.0.0/20 network configured on inside interface of ASA and then on inside interface I have connected layer-3 witch(ip:172.27.0.254 on vlan 1). And on switch I have created different VLANs with SVI like (vlan 2:ip:172.27.2.254, vlan3:ip:172.27.3.254) .

So now my question is can I port-forward the server i.e.172.27.3.1 on ASA or should change the scenario???. Please share your answers. Thanks in advance.

Spooster IT Services · ‎09-20-2017

Hi chintan0111,

Yes you can achieve it with your current design. No need to change scenario.

Spooster IT Services Team

chintan0111 · ‎09-20-2017

I tried port forwarding but didn't succeed , how can I achieve do I need create trunk between router n switch??

Spooster IT Services · ‎09-21-2017

Hi chintan0111,

Do you have connectivity to internal server 172.27.3.1 from ASA (Are you able to ping server from ASA)?

Can you post the config you did for this (NAT, ACL, Route etc)?

Spooster IT Services Team

chintan0111 · ‎09-21-2017

Thanks for the answer,

Yes the server is rechable from ASA inside interface.

Please find below config

interface GigabitEthernet1/1
nameif ISP1
security-level 0
ip address X.x.x.x 255.255.255.240
!
interface GigabitEthernet1/2
nameif ISP2
security-level 0
no ip address
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 172.27.0.50 255.255.240.0 standby 172.27.0.52
!

interface GigabitEthernet1/8
description LAN/STATE Failover Interface

!

object network PF-172.27.3.1
host 172.27.3.1

!

object network PF-172.27.3.1
nat (inside,ISP1) static interface service tcp 3389 3389

access-list allow-port-forward extended permit tcp any host 172.27.3.33 eq 3389

!
object network test-PF-172.27.3.33
nat (inside,ISP1) static interface service tcp 3389 3389

!

route ISP1 0.0.0.0 0.0.0.0 y.y.y.y 1
route inside 172.27.1.0 255.255.255.0 172.27.0.254 1
route inside 172.27.2.0 255.255.255.0 172.27.0.254 1

route inside 172.27.3.0 255.255.255.0 172.27.0.254 1

Here 172.27.0.254: layer-3 switch ip

Spooster IT Services · ‎09-21-2017

Hi chintan0111,

You can not forward single port to two different IP's as you are doing for ISP1 port 3389 to forward to two host (172.27.3.1 & 172.27.3.33). Try the following configuration:

object network PF-172.27.3.1
no nat (inside,ISP1) static interface service tcp 3389 3389
!
object network test-PF-172.27.3.33
no nat (inside,ISP1) static interface service tcp 3389 3389
!
access-list allow-port-forward extended permit tcp any host 172.27.3.1 eq 3389

!

object service 3389
service tcp source eq 3389
nat (inside,ISP1) source static interface service tcp 3389 3389

Spooster IT Services Team

chintan0111 · ‎09-21-2017

No that was mistakenly written by me, correct config is given below

object network PF-172.27.3.1
host 172.27.3.1
access-list allow-port-forward extended permit tcp any host 172.27.3.1 eq 3389

object network PF-172.27.3.1
nat (inside,ISP1) static interface service tcp 3389 3389

access-group allow-port-forward in interface ISP1