07-21-2014 02:43 AM - edited 03-11-2019 09:30 PM
Hi All,
ASA8.4
I have only 1 single IP to play around with on the outside interface.
There is a need for Anyconnect VPN Access to the outside interface
Existing config: Static 1 to 1 NAT(DMZ server) to outside interface
object network DMZ_Server
nat (any,OUTSIDE) static interface
Based on that: any incoming 443 port goes into the NAT-ed server.
How do i exempt port 443 so that the service is redirected to the SSL VPN instead?
PLease advise
07-21-2014 03:12 AM
Hi,
To my understanding the ASA does not have any configuration option directly to do a Static PAT/Static NAT that ignores a certain port.
I would personally suggest simply doing Static PAT for each service that is needed. I would imagine that there are not that many services running on a single host that it would be impossible to do.
I guess if you wanted to try forward all but the port TCP/443 then you would have to make a configuration that includes all but that port.
I do have to say that I just managed to make my home ASA unresponsive while adding this configurations so I am wondering it ran out of memory (old ASA5505) or something :)
EDIT: It might also be the fact that it reserves almost all the ports to the ASA so I would advice against using it in its current form. For example if you have SSH configured on the ASA it might cause problems with that also. If it even accepts the configuration at all
object service TCP-1-442
service tcp source range 1 442
object service TCP-444-65534
service tcp source range 444 65534
object network DMZ-SERVER
host x.x.x.x
nat (dmz,outside) source static DMZ-SERVER interface service TCP-1-442 TCP-1-442
nat (dmz,outside) source static DMZ-SERVER interface service TCP-444-65534 TCP-444-65534
Though now that I am thinking the above configuration setup, would this not eat up all your ports related to PAT translations? I am not sure how the ASA would react to using this configuration (or if it would even be able to reserve the ports) if any of your internal hosts wanted to connect to the public network. I would imagine that their connections might start getting dropped after entering this configuration.
So as I said I would consider just doing Static PAT for the TCP/UDP ports that you actually need since I cant really see the above configuration being feasible. Maybe shouldnt have even included it in the post :)
For Static PAT you can use the following configuration format as an example for the ports/services needed.
object network DMZ-SERVER-TCP80
host x.x.x.x
nat (dmz,outside) static interface service tcp 80 80
You will need to make a separate "object" for each "nat" configurations.
- Jouni
07-21-2014 03:18 AM
Hi,
Just like to mention this with a separate post/reply
I would suggest going with separate Static PAT configurations rather than trying the above first example. In your setup (with a single IP address only) it will most likely cause problems and perhaps do the same to your ASA that it did to mine :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide