Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8190
Views
0
Helpful
19
Replies

Setting up port forwarding ASA 5505

Go to solution
joelpc1976
Level 1
Level 1

‎03-15-2012 08:14 AM - edited ‎03-11-2019 03:42 PM

Hello,

     We are trying to setup our ASA 5505 to do port forwarding to multiple internal servers and have run into some issues. A little background on what we are trying to do.

     We have 1 static external IP. Internally we have one exsisting server (10.1.1.184) that has port 80 forwarded to it and another exsisting server (10.1.1.185) that has port 443 forwarded to it. Both of these servers are serving seperate web apps to our employees who of course use them offsite. We have now added an additional server (10.1.1.186) that needs to use both ports 80 and 443. Is there any way to set it up so that these ports can be forwarded to all the servers that need them? Also, how would this work as far knowing what traffic will need to go to which server even though it is using the same port?

     The equipment is:

  • ASA 5505
  • ASA Version 7.2(4)
  • ASDM Version 5.2(4)

     I appologize in advance if what I'm trying to do is difficult/impossible. I inherted the ASA 5505 at this location and I was not here when it was initially installed. In fact no one on staff was here when it was initially installed. I did manage to find the passwords to it though. I'm not at all familiar with the ASA 5505 or Cisco secuirty appliances in general. Thank you in advance for the replies.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joelpc1976

‎03-15-2012 04:53 PM

Joel,

That's correct - a static NAT plus the access-list entry allowing the traffic from outside to inside on the IP address plus tcp ports your server requires. No subinterface or second interface is required (assuming your additional IP is in the same network as the original one or that your ISP is routing it as in the example cited in the link you found). When you add the static NAT it will allow the ASA to respond to arps received on the outside interface, populate the xlate table and respond accord to the access-list and nat rules you have configured.

View solution in original post

0 Helpful
19 Replies 19

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-15-2012 08:37 AM

You can't do this exactly like you ask with only one public IP address. However, you can set up different public ports for you new server's private IP. Users would just specify the TCP port explicitly in the URL, overriding the default 80 or 443.

e.g., http://[ASA_outside_interface_IP]:8000

In ASDM, you would set this up under "Configuration, Firewall, NAT Rules". Create a rule for Interface "outside". Source is your outside interface address, destination the inside server's real IP address. Check the box to enable PAT. Choose a unique port number as the original port (like 8000 in the example URL above) and then 80 as translated port. Repeat by making a second NAT/PAT rule for the port 443 destination (using a different unique port number on the outside address). Then an an access-list rule to allow the new inbound connections. Apply and save.

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1
In response to Marvin Rhoads

‎03-15-2012 08:45 AM

Marvin,

     I had thought about that and the web searches I have done reffered to doing that as well. The issue I could see us running into would be that the software for the new server which the customer is running is coded to go directly to 80 and 443. We like the idea that no non standard ports would need to be opened on the customer's side to enable them to connect to our server. Would it be easier to request an additional external IP? Our ISP should be able to do that for us. If we do get an additional IP how would we set that up in the ASA 5505?

     Thank you for the quick response.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joelpc1976

‎03-15-2012 08:48 AM

Sure - if you have a second public IP, you simply set up a new NAT rule without the PAT bit. Just specify the new IP as the source and the real IP as the destination. You will still need to add an access list to allow outside to reach the server on ports 80 and 443.

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1
In response to Marvin Rhoads

‎03-15-2012 09:00 AM

Marvin,

     Talked to our ISP and it is no issue to have a second static IP. We are going to be placing the order in the next few minutes, should have it provisioned yet today. Should I mark this as answered and open an additional question if I have issues or wait untill we have it finished completely?

     I really appreciate your help with this.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joelpc1976

‎03-15-2012 09:03 AM

You're welcome. No hurry to mark it closed. Feel free to do so now or wait until after you've got it set up.

0 Helpful

Go to solution
llamaw0rksE
Level 1
Level 1

‎03-15-2012 08:42 AM

Probably easiest to get .186 remote users to add :8080 and :4443 to their http://wanipofyourrouter.

The idea being that the nat port translation will take care of proper routing.

Will need acl rules letting 8080 and 4443 through.

nat rules (config will depend on version - this is for 8.43 and adsm 6.4)

object network websecondserver

host 10.1.1.186

object network websecondserver

nat (inside, outside) static interface tcp 80 8080

object network remoteaccesssecondserver

host 10.1.1.186

object network remoteaccesssecondserver

nat (inside, outside) static interface tcp 443 4443

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1
In response to llamaw0rksE

‎03-15-2012 09:03 AM

Alex,

     I appreciate the response. I believe we are going to be adding a second IP and setting it up as suggested by Marvin. This will allow us to continue using the standard ports for both groups of people.

0 Helpful

Go to solution
llamaw0rksE
Level 1
Level 1
In response to joelpc1976

‎03-15-2012 09:07 AM

Ensure you have more than the basic license for the ASA 5505, Im not sure if you can have two outside interfaces unless you have I think the plus or greater license........

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to llamaw0rksE

‎03-15-2012 09:15 AM

It won't be a second interface that he sets up - just a second IP on the existing outside interface to be used by the NAT rule only.

0 Helpful

Go to solution
llamaw0rksE
Level 1
Level 1
In response to Marvin Rhoads

‎03-15-2012 09:26 AM

Ooops silly me.   Thanks for the correction.

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1

‎03-15-2012 10:24 AM

Marvin,

     Just wanted to update you, we have our new external IP. We will be setting up the new information shortly. If I have any questions I'll be posting them here. Thanks again.

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1
In response to joelpc1976

‎03-15-2012 02:49 PM

Marvin,

     We have the second IP and have it working per the ISP. However I was looking at the Configuration>Interfaces for Outside. When I do edit it doesn't seem to allow me to add a second IP or (more  likely) I have no idea what I'm doing. I'm using the ASDM 5.2 interface. Any help would be appreciated.

Joel

0 Helpful

Go to solution
llamaw0rksE
Level 1
Level 1
In response to joelpc1976

‎03-15-2012 04:21 PM

This is the only reference I found. Hope it has some kernel of usefulness.

http://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/

0 Helpful

Go to solution
joelpc1976
Level 1
Level 1
In response to llamaw0rksE

‎03-15-2012 04:38 PM

Alex,

Thank you for the response. My confusion is that after re-reading Marvin's post it seems that I can do what I need with a static NAT. Any idea on that at all? Or am I just reading it wrong?

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card