09-20-2017 11:42 AM - edited 02-21-2020 06:20 AM
I have 172.27.0.0/20 network configured on inside interface of ASA and then on inside interface I have connected layer-3 witch(ip:172.27.0.254 on vlan 1). And on switch I have created different VLANs with SVI like (vlan 2:ip:172.27.2.254, vlan3:ip:172.27.3.254) .
So now my question is can I port-forward the server i.e.172.27.3.1 on ASA or should change the scenario???. Please share your answers. Thanks in advance.
09-20-2017 12:45 PM
Hi chintan0111,
Yes you can achieve it with your current design. No need to change scenario.
09-20-2017 09:06 PM
09-21-2017 06:25 AM
Hi chintan0111,
Do you have connectivity to internal server 172.27.3.1 from ASA (Are you able to ping server from ASA)?
Can you post the config you did for this (NAT, ACL, Route etc)?
09-21-2017 11:29 AM
Thanks for the answer,
Yes the server is rechable from ASA inside interface.
Please find below config
interface GigabitEthernet1/1
nameif ISP1
security-level 0
ip address X.x.x.x 255.255.255.240
!
interface GigabitEthernet1/2
nameif ISP2
security-level 0
no ip address
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 172.27.0.50 255.255.240.0 standby 172.27.0.52
!
interface GigabitEthernet1/8
description LAN/STATE Failover Interface
!
object network PF-172.27.3.1
host 172.27.3.1
!
object network PF-172.27.3.1
nat (inside,ISP1) static interface service tcp 3389 3389
access-list allow-port-forward extended permit tcp any host 172.27.3.33 eq 3389
!
object network test-PF-172.27.3.33
nat (inside,ISP1) static interface service tcp 3389 3389
!
route ISP1 0.0.0.0 0.0.0.0 y.y.y.y 1
route inside 172.27.1.0 255.255.255.0 172.27.0.254 1
route inside 172.27.2.0 255.255.255.0 172.27.0.254 1
route inside 172.27.3.0 255.255.255.0 172.27.0.254 1
Here 172.27.0.254: layer-3 switch ip
09-21-2017 11:45 AM - edited 09-21-2017 11:49 AM
Hi chintan0111,
You can not forward single port to two different IP's as you are doing for ISP1 port 3389 to forward to two host (172.27.3.1 & 172.27.3.33). Try the following configuration:
object network PF-172.27.3.1
no nat (inside,ISP1) static interface service tcp 3389 3389
!
object network test-PF-172.27.3.33
no nat (inside,ISP1) static interface service tcp 3389 3389
!
access-list allow-port-forward extended permit tcp any host 172.27.3.1 eq 3389
!
object service 3389
service tcp source eq 3389
nat (inside,ISP1) source static interface service tcp 3389 3389
09-21-2017 10:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide