cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2146
Views
3
Helpful
8
Replies
jagdev.dhaliwal
Beginner

Static NAT with port translation

Hello All,

I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.

  10.1.1.2:443         10.1.1.1    2.2.2.5

Server -------------------------- ASA --------------------- Internet router --Cloud

Config  i am planing      

static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255

Thanks

JD

3 ACCEPTED SOLUTIONS

Accepted Solutions
Jouni Forss
Mentor

Hi,

Do you have a extra public IP address that you could give this server OR are you going to use the public IP address of the ASAs outside interface?

If you have an extra public IP address to be used with the server I'd suggest not using Port Forward configuration. It's more clearer and better if the server just simply has its own public NAT ip address.

You could use the configuration

static (inside,outside) netmask 255.255.255.255 dns

Then only allow TCP/443 on the outside interface access-list

access-list OUTSIDE-IN permit tcp any host eq 443

access-group OUTSIDE-IN in interface outside

If you are simply using the ASAs outside interface for Port Forward (if you only have one public IP address at your disposal) you can do the configuration in the following way

static (inside,outside) tcp interface 443 netmask 255.255.255.255 dns

- Jouni

View solution in original post

Hi,

The "dns" parameters might not be needed.

Just thought I'd add it there as you are going to host Web service there.

So if you for example had a separate public IP address for the server and the public DNS servers would have a name for it (for example www.webservice.com) you could use that address to also connect to the server from the LAN.

To my understanding the "dns" parameter should change the DNS reply message to the user and point to the local IP address of the server, instead of the public IP address thats used in the NAT configuration on the ASA.

This has been a pretty common problem in cases where customers don't have a public IP address configured directly on the server.

- Jouni

View solution in original post

Yes the order operation has been changed in post 8.3 version as follows

first NAT

second ACL

third Routing

hence we need to have permission to the private IP address

hope this helps

Harish.

View solution in original post

8 REPLIES 8
Harish Balakrishnan
Enthusiast

Hello Jagdev,

This configuration should work. Please permit this communication in outside ACL also towards 2.2.2.2 eq 443

rate all the posts if helpful

Harish,

Jouni Forss
Mentor

Hi,

Do you have a extra public IP address that you could give this server OR are you going to use the public IP address of the ASAs outside interface?

If you have an extra public IP address to be used with the server I'd suggest not using Port Forward configuration. It's more clearer and better if the server just simply has its own public NAT ip address.

You could use the configuration

static (inside,outside) netmask 255.255.255.255 dns

Then only allow TCP/443 on the outside interface access-list

access-list OUTSIDE-IN permit tcp any host eq 443

access-group OUTSIDE-IN in interface outside

If you are simply using the ASAs outside interface for Port Forward (if you only have one public IP address at your disposal) you can do the configuration in the following way

static (inside,outside) tcp interface 443 netmask 255.255.255.255 dns

- Jouni

View solution in original post

Thanks Harish and Jouni,

I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-

A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)

-----------------------------------------------------------

1. FLOW-LOOKUP - [] - Check for existing connections, if none found

create a

new connection.

2. UN-NAT - [static] -

2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)

3. ACCESS-LIST - [log] - ACL Lookup

4. CONN-SETTINGS - [] - class-map, policy-map, service-policy

5. IP-OPTIONS - [] -

6. NAT - [rpf-check] -

7. NAT - [host-limits] -

8. IP-OPTIONS - [] -

9. FLOW-CREATION - [] - If everything passes up until this point a

connection

is created.

10. ROUTE-LOOKUP - [output and adjacency]

access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you

but if i go by the flow which i come to know it should be like

access-list OUTSIDE-IN permit tcp any host eq 443

What is your opion ?

Thanks

Jagdev

Hello Jagdev,

the ACL depends on the IOS version you are using in the ASA

if the code is before 8.3 version then the ACL should point towards public IP address

if the code is 8.3 or later version then ACL should be towards private IP address

let me know if you have any queries.

Please rate helpful posts

Harish.

Ok, I got the "dns" is for DNS Doctoring.

Hi,

The "dns" parameters might not be needed.

Just thought I'd add it there as you are going to host Web service there.

So if you for example had a separate public IP address for the server and the public DNS servers would have a name for it (for example www.webservice.com) you could use that address to also connect to the server from the LAN.

To my understanding the "dns" parameter should change the DNS reply message to the user and point to the local IP address of the server, instead of the public IP address thats used in the NAT configuration on the ASA.

This has been a pretty common problem in cases where customers don't have a public IP address configured directly on the server.

- Jouni

View solution in original post

That means the packet flow is different for IOS 8.3 & later versions from the earlier ones 8.2, it should not be the case. Can you please suggest any Cisco docs for packet flow for both the IOS versions

Yes the order operation has been changed in post 8.3 version as follows

first NAT

second ACL

third Routing

hence we need to have permission to the private IP address

hope this helps

Harish.

View solution in original post