cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3372
Views
0
Helpful
5
Replies

Port forwarding on PIX and ASA

sarat1317
Level 1
Level 1

Hello

I would like to get a second opinion if the below config will work on Cisco PIX or ASA on 7.0 version. Basically configuring the port forwarding to different servers on a LAN on port www on different public IPs

interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.10 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 11.12.13.14
access-list outside_in extended permit tcp any host 11.12.13.10 eq www
static (inside,outside) tcp 11.12.13.10 www 10.0.5.12 www netmask 255.255.255.255
access-list outside_in extended permit tcp any host 11.12.13.11 eq www
static (inside,outside) tcp 11.12.13.11 www 10.0.5.22 www netmask 255.255.255.255

So this would be routing via second WAN IP 11.12.13.11 to same port www and forward to a different server 10.0.5.22

Thank you

3 Accepted Solutions

Accepted Solutions

Hi,

This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22

Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22

Let me know.

Federico.

View solution in original post

Joe B Danford
Cisco Employee
Cisco Employee

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.

If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

View solution in original post

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).

Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.

HTH

Vijaya

View solution in original post

5 Replies 5

Hi,

This configuration will work fine.

You're redirecting web port 80 traffic when it hits IP 11.12.13.10 to internal IP 10.0.5.12 and also redirecting www when it hits IP 11.12.13.11 to 10.0.5.22

Just make sure that DNS is configured correctly to resolve the correct IPs and that web traffic reaching 11.12.13.10 is really intended for 10.0.5.12 and web traffic reaching 11.12.13.11 is really intended for 10.0.5.22

Let me know.

Federico.

I appreciate all your responses. I tested it and and worked. Thank you

Joe B Danford
Cisco Employee
Cisco Employee

If your goal is to forward TCP port 80 for 11.12.13.10 to 10.0.5.12 and 11.12.13.11 to 10.0.5.22 then this should work fine.

If using ASA code 7.2(1) and above you can use the packet tracer command to test your configs.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.10 80 detailed

packet-tracer input outside tcp 4.1.1.1 1024 11.12.13.11 80 detailed

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

For the packet-tracer instead of  CLI you can also use your ASDM (above 7.2(x) ).

Just access your ASA using ASDM, --> rollover TOOLS--> Click on packet-tracer and set the packet parameters you want to simulate.

HTH

Vijaya

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

Configuring Port forwarding in cisco PIX/ASA check out the below link hope this help out your query !!

http://i.i.com.com/cnwk.1d/i/tr/downloads/home/1587052148_chapter_5.pdf

Regards

Ganesh.H

Review Cisco Networking for a $25 gift card