Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
2
Replies

Static 1-1 NAT - but exempt port 443 for SSL VPN

J_Vansen_S
Level 3
Level 3

‎07-21-2014 02:43 AM - edited ‎03-11-2019 09:30 PM

Hi All,

ASA8.4

I have only 1 single IP to play around with on the outside interface.

There is a need for Anyconnect VPN Access to the outside interface

 

Existing config: Static 1 to 1 NAT(DMZ server) to outside interface

object network DMZ_Server

nat (any,OUTSIDE) static interface

 

Based on that: any incoming 443 port goes into the NAT-ed server.

How do i exempt port 443 so that the service is redirected to the SSL VPN instead?

 

PLease advise

 

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-21-2014 03:12 AM

Hi,

 

To my understanding the ASA does not have any configuration option directly to do a Static PAT/Static NAT that ignores a certain port.

 

I would personally suggest simply doing Static PAT for each service that is needed. I would imagine that there are not that many services running on a single host that it would be impossible to do.

 

I guess if you wanted to try forward all but the port TCP/443 then you would have to make a configuration that includes all but that port.

 

 I do have to say that I just managed to make my home ASA unresponsive while adding this configurations so I am wondering it ran out of memory (old ASA5505) or something :)

 

EDIT: It might also be the fact that it reserves almost all the ports to the ASA so I would advice against using it in its current form. For example if you have SSH configured on the ASA it might cause problems with that also. If it even accepts the configuration at all

 

object service TCP-1-442
 service tcp source range 1 442

 

object service TCP-444-65534
 service tcp source range 444 65534

 

object network DMZ-SERVER
 host x.x.x.x

 

nat (dmz,outside) source static DMZ-SERVER interface service TCP-1-442 TCP-1-442
nat (dmz,outside) source static DMZ-SERVER interface service TCP-444-65534 TCP-444-65534

 

Though now that I am thinking the above configuration setup, would this not eat up all your ports related to PAT translations? I am not sure how the ASA would react to using this configuration (or if it would even be able to reserve the ports) if any of your internal hosts wanted to connect to the public network. I would imagine that their connections might start getting dropped after entering this configuration.

 

So as I said I would consider just doing Static PAT for the TCP/UDP ports that you actually need since I cant really see the above configuration being feasible. Maybe shouldnt have even included it in the post :)

 

For Static PAT you can use the following configuration format as an example for the ports/services needed.

 

object network DMZ-SERVER-TCP80
 host x.x.x.x
 nat (dmz,outside) static interface service tcp 80 80
 

You will need to make a separate "object" for each "nat" configurations.

 

- Jouni
 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-21-2014 03:18 AM

Hi,

 

Just like to mention this with a separate post/reply

 

I would suggest going with separate Static PAT configurations rather than trying the above first example. In your setup (with a single IP address only) it will most likely cause problems and perhaps do the same to your ASA that it did to mine :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card