Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
1
Replies

Port Forwarding Help

andrewgarlick
Level 1
Level 1

‎05-05-2011 11:12 AM - edited ‎03-11-2019 01:29 PM

Hi

I have a couple of ASA 5505's which work fine for what they are doing VPN and all that - we have 1 DLINK DFR-700 Firewall left and I need to get a new ASA to replace this since it is old.

All this box really does is port forward external clients to 1 address on the internal lan for client software updates.

So my question is since I have never really done this is does anybody have any example configs

So lets say we have client a with IP 1.1.1.1 and client b has 2.2.2.2 - at the moment this is what happens client a and b come in through http and get mapped to the internal http server 10.10.1.2

So I need to setup about 100 clients which can come in through http only - get mapped to the internal IP and also keeping the internal server to be able to access anything outside.

Make sense?

Any help would be great - thanks

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎05-05-2011 11:28 AM

Hi Andrew,

If I understand you configuration correctly, you've got close to about 100 clients on the outside, which needs to be connected to your internal http server, so I assume your network topology is something like this:

outside----------ASA-------------inside

(clients)                             (server)

Now to publish this particulatr server to the outside world , you would need to map it to a public ip address, lets say 100.100.100.100


and if you do not have a free IP address, you can use static port forwarding (which would only use a single potrt, instead of the whole IP address).

static (inside,outside) tcp 100.100.100.100 443 10..10.10.10.10 443

Along with that you would need to allow access to clients by applying an access-list on the outside interface.

access-list outside_access extended permit tcp ho 1.1.1.1 ho 100.100.100.100

access-group outsidfe_access in interface outside

To give access to the internal users for the internet, you need the following rules:

nat (inside) 1 0 0

global (outside) 1 interface

The complete internal users would be patted to your outside interafce of the ASA.

Here is a document for ASA NAT/PAT:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Let me know if this was wat you were looking out for.

Regards,

Varun Rao

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card