Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2899
Views
3
Helpful
8
Replies

Static NAT with port translation

Go to solution
jagdev.dhaliwal
Level 1
Level 1

‎09-26-2012 12:14 AM - edited ‎03-11-2019 04:59 PM

Hello All,

I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.

  10.1.1.2:443         10.1.1.1    2.2.2.5

Server -------------------------- ASA --------------------- Internet router --Cloud

Config  i am planing      

static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255

Thanks

JD

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-26-2012 12:39 AM

Hi,

Do you have a extra public IP address that you could give this server OR are you going to use the public IP address of the ASAs outside interface?

If you have an extra public IP address to be used with the server I'd suggest not using Port Forward configuration. It's more clearer and better if the server just simply has its own public NAT ip address.

You could use the configuration

static (inside,outside) netmask 255.255.255.255 dns

Then only allow TCP/443 on the outside interface access-list

access-list OUTSIDE-IN permit tcp any host eq 443

access-group OUTSIDE-IN in interface outside

If you are simply using the ASAs outside interface for Port Forward (if you only have one public IP address at your disposal) you can do the configuration in the following way

static (inside,outside) tcp interface 443 netmask 255.255.255.255 dns

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jagdev.dhaliwal

‎09-26-2012 02:58 AM

Hi,

The "dns" parameters might not be needed.

Just thought I'd add it there as you are going to host Web service there.

So if you for example had a separate public IP address for the server and the public DNS servers would have a name for it (for example www.webservice.com) you could use that address to also connect to the server from the LAN.

To my understanding the "dns" parameter should change the DNS reply message to the user and point to the local IP address of the server, instead of the public IP address thats used in the NAT configuration on the ASA.

This has been a pretty common problem in cases where customers don't have a public IP address configured directly on the server.

- Jouni

View solution in original post

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to jagdev.dhaliwal

‎09-26-2012 03:11 AM

Yes the order operation has been changed in post 8.3 version as follows

first NAT

second ACL

third Routing

hence we need to have permission to the private IP address

hope this helps

Harish.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎09-26-2012 12:19 AM

Hello Jagdev,

This configuration should work. Please permit this communication in outside ACL also towards 2.2.2.2 eq 443

rate all the posts if helpful

Harish,

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-26-2012 12:39 AM

Hi,

Do you have a extra public IP address that you could give this server OR are you going to use the public IP address of the ASAs outside interface?

If you have an extra public IP address to be used with the server I'd suggest not using Port Forward configuration. It's more clearer and better if the server just simply has its own public NAT ip address.

You could use the configuration

static (inside,outside) netmask 255.255.255.255 dns

Then only allow TCP/443 on the outside interface access-list

access-list OUTSIDE-IN permit tcp any host eq 443

access-group OUTSIDE-IN in interface outside

If you are simply using the ASAs outside interface for Port Forward (if you only have one public IP address at your disposal) you can do the configuration in the following way

static (inside,outside) tcp interface 443 netmask 255.255.255.255 dns

- Jouni

0 Helpful

Go to solution
jagdev.dhaliwal
Level 1
Level 1
In response to Jouni Forss

‎09-26-2012 02:14 AM

Thanks Harish and Jouni,

I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-

A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)

-----------------------------------------------------------

1. FLOW-LOOKUP - [] - Check for existing connections, if none found

create a

new connection.

2. UN-NAT - [static] -

2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)

3. ACCESS-LIST - [log] - ACL Lookup

4. CONN-SETTINGS - [] - class-map, policy-map, service-policy

5. IP-OPTIONS - [] -

6. NAT - [rpf-check] -

7. NAT - [host-limits] -

8. IP-OPTIONS - [] -

9. FLOW-CREATION - [] - If everything passes up until this point a

connection

is created.

10. ROUTE-LOOKUP - [output and adjacency]

access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you

but if i go by the flow which i come to know it should be like

access-list OUTSIDE-IN permit tcp any host eq 443

What is your opion ?

Thanks

Jagdev

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to jagdev.dhaliwal

‎09-26-2012 02:39 AM

Hello Jagdev,

the ACL depends on the IOS version you are using in the ASA

if the code is before 8.3 version then the ACL should point towards public IP address

if the code is 8.3 or later version then ACL should be towards private IP address

let me know if you have any queries.

Please rate helpful posts

Harish.

0 Helpful

Go to solution
jagdev.dhaliwal
Level 1
Level 1
In response to jagdev.dhaliwal

‎09-26-2012 02:41 AM

Ok, I got the "dns" is for DNS Doctoring.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jagdev.dhaliwal

‎09-26-2012 02:58 AM

Hi,

The "dns" parameters might not be needed.

Just thought I'd add it there as you are going to host Web service there.

So if you for example had a separate public IP address for the server and the public DNS servers would have a name for it (for example www.webservice.com) you could use that address to also connect to the server from the LAN.

To my understanding the "dns" parameter should change the DNS reply message to the user and point to the local IP address of the server, instead of the public IP address thats used in the NAT configuration on the ASA.

This has been a pretty common problem in cases where customers don't have a public IP address configured directly on the server.

- Jouni

0 Helpful

Go to solution
jagdev.dhaliwal
Level 1
Level 1
In response to jagdev.dhaliwal

‎09-26-2012 03:01 AM

That means the packet flow is different for IOS 8.3 & later versions from the earlier ones 8.2, it should not be the case. Can you please suggest any Cisco docs for packet flow for both the IOS versions

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to jagdev.dhaliwal

‎09-26-2012 03:11 AM

Yes the order operation has been changed in post 8.3 version as follows

first NAT

second ACL

third Routing

hence we need to have permission to the private IP address

hope this helps

Harish.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card