cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2389
Views
0
Helpful
6
Replies

Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT

mike.welker
Level 1
Level 1

I have a situation where we have a single DMZ server currently statically forwarded to a single public IP.  TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.

However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server.  This server only needs traffic on TCP/8800 forwarded to it.

I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.

My question lies in the reconfiguration of NAT/ PAT.  Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port.  I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?

It appears ASDM will not allow me to put multiple ports into a single network object.  I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Michael.

It appears ASDM will not allow me to put multiple ports into a single  network object.  I am assuming I will need to add 6 separate object  translations for the "old" server based on TCP port, and 1 object  translation for the "new" server, correct?

That is correct, for the NAT configuration you need to do it like that, This setup is going to work as you expect so you will not face any issues.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Michael.

It appears ASDM will not allow me to put multiple ports into a single  network object.  I am assuming I will need to add 6 separate object  translations for the "old" server based on TCP port, and 1 object  translation for the "new" server, correct?

That is correct, for the NAT configuration you need to do it like that, This setup is going to work as you expect so you will not face any issues.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JCarvaja, thank you for your help.  That worked as expected.

However, I am having a slightly different issue on the outbound side.  I need the "old " server to statically resolve OUTBOUND on port 5080 as the correct public IP, and it appears the ASA is not translating this properly.  I have removed all standard static NATs for the two servers in our DMZ, and I am doing only PAT.  Inbound, all of the correct ports respond.  Outbound, the "old" server is resolving as the public outside interface of the ASA, whereas when the server sends outbound, on port 5080, I need it to resolve as the same IP it uses for inbound.

I think I may just be missing a setting somewhere.  It also appears that I can statically NAT the entire DMZ network to use the correct public IP, rather than the interface address, but my question then lies on the inbound side.  If the two servers send out using the same public IP, based on the DMZ network, when a request comes in, will the ASA defer to using PAT, because it doesn't know a specific host to translate to?  If thats the case, it sounds like the most logical option.

Hello Michael,

Glad I could help!

I am not following you, what do you mean by I need the "old " server to statically resolve OUTBOUND on port 5080 as  the correct public IP, and it appears the ASA is not translating this  properly.

Also you said you do not have any static one to one translation and only have inbound PAT, can you share the inbound pat configuration??

Please explain me this in order to help,

Diagrams always help

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK, so I beleive I've truncated this down to what you need in order to give me a hand.  Remember that I must configure this using ADSM for screenshot purposes.  There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test.  I'll explain the desired topology below the config.:

: Saved

:

ASA Version 8.3(1)

!

hostname ASA-SVRRM-5510

domain-name domain.corp

!

names

name 10.20.1.23 NCASK333

name 10.20.1.40 Barracuda

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 1.1.1.3 255.255.255.248

!

interface Ethernet0/1

description DMZ

nameif DMZ

security-level 20

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 10.20.1.249 255.255.0.0

!

!

object network mail.domain.com

host 10.20.1.40

object network NCASK333

host 10.20.1.23

object network obj-10.20.1.218

host 10.20.1.218

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.192.0.0_16

subnet 10.192.0.0 255.255.0.0

object network NETWORK_OBJ_10.20.0.0_16

subnet 10.20.0.0 255.255.0.0

object network Remote Site

host 10.1.1.1

object network NCAFTP01:80

host 172.16.10.10

object network 1.1.1.5

host 1.1.1.5

object network NCASK820

host 10.20.1.61

description Exchange Server/ KMS

object service AS2

service tcp source eq 8800 destination eq 8800

object network NCAFTP01:21

host 172.16.10.10

object network NCAFTP01:443

host 172.16.10.10

object network NCAFTP01:53

host 172.16.10.10

object network NCAFTP01:53UDP

host 172.16.10.10

object network NCAFTP01:8080

host 172.16.10.10

object network NCAFTP01:8500

host 172.16.10.10

object network NCAFTP01:5080

host 172.16.10.10

object network NCADMZ02:8800

host 172.16.10.11

object network NCAFTP01

host 172.16.10.10

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp destination eq pptp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

port-object eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp traceroute

object-group service DM_INLINE_SERVICE_3

service-object tcp destination eq 8080

service-object tcp destination eq 8500

service-object tcp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

service-object icmp

service-object tcp destination eq 5080

service-object object AS2

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq 8080

port-object eq www

port-object eq https

port-object eq echo

object-group network DM_INLINE_NETWORK_5

network-object 172.16.10.0 255.255.255.0

!

nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0

nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

!

object network mail.domain.com

nat (Inside,ATTOutside) static 1.1.1.4

object network NCASK333

nat (Inside,ATTOutside) static 1.1.1.6

object network obj-10.20.1.218

nat (Inside,ATTOutside) static 1.1.1.2

object network obj_any

nat (Inside,ATTOutside) dynamic interface

object network NCAFTP01:80

nat (any,ATTOutside) static 1.1.1.5 service tcp www www

object network NCAFTP01:21

nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp

object network NCAFTP01:443

nat (any,ATTOutside) static 1.1.1.5 service tcp https https

object network NCAFTP01:53

nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain

object network NCAFTP01:53UDP

nat (any,ATTOutside) static 1.1.1.5 service udp domain domain

object network NCAFTP01:8080

nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080

object network NCAFTP01:8500

nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500

object network NCAFTP01:5080

nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080

object network NCADMZ02:8800

nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800

object network NCAFTP01

nat (any,ATTOutside) static 1.1.1.5

!

nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface

!

timeout xlate 3:00:00

!

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

class class-default

: end

Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10.  We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11. 

This part is functional, as you instructed above, I simply needed to create individual PAT statements. 

My current issue lies in the outbound translation.  When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5.  When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5.  So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound.  These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution.  My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?

This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080.

jcarvaja or anyone else,

Have you had the chance to look over the above config?  I am sure I am missing something simple, but I am drawing a blank.

Thanks

Hello Michael,

I am sorry for the delay!

If an inbound connections comes to the server on port 80, the server will answer on that port as well due to the RPF check on the stateful firewall, so do not worry for that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card