If you setup is the following (using example IPs, names and Ports)

• Server1: 10.10.10.10
• Server2: 10.10.10.20
• Public1: 1.1.1.10
  • ASA has this IP address in the "outside" interface
• Public2: 1.1.1.20
• LAN/Server interface = inside
• WAN/Outside interface = outside
• OUTSIDE ACL = OUTSIDE-IN (direction in)

The ASA Software 8.3 (and above) Port Forward configuration for SSH (TCP/22) only would be

object network SRV1-SSH

host 10.10.10.10

nat (inside,outside) static interface service tcp 22 22

object network SRV2-SSH

host 10.10.10.20

nat (inside,outside) static 1.1.1.20 service tcp 22 22

access-list OUTSIDE-IN permit tcp any object SRV1-SSH eq ssh

access-list OUTSIDE-IN permit tcp any object SRV2-SSH eq ssh

access-group OUTSIDE-IN in interface outside

The ASA 8.2 (and below) configuration format would be

static (inside,outside) tcp interface 22 10.10.10.10 22 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.20 10.10.10.20 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any host 1.1.1.10 eq ssh

access-list OUTSIDE-IN permit tcp any host 1.1.1.20 eq ssh

access-group OUTSIDE-IN in interface outside

Please rate if the information has been helpfull and/or ask more questions if the above wasnt what you were looking for.

- Jouni

Journi,

Thanks so much for your quick reply. I'm not sure I expressed myself clearly enough. Consider this.

I have a 5505 connected to the internet and accessible as fred.com.

I have 2 support techs 'out there in internet space' who need to gain access to 2 different machines on my LAN (i.e.  the other side of fred.com's firewall on address like 192.168.1.1 etc). They connect from static IP internet addresses like 203.x.y.z or 206.a.b.c.

In smoothwall, I can say somthing like 'srcip:203.x.y.z, port:22 goes to 192.168.1.1 and srcip:206.a.b.c port 22 goes to 192.168.1.2. I.e., I want to set up port forwards such that each external tech goes to different 192.168.1.x addresses but both do so by simply executing the same command (i.e. ssh fred.com) from their respective command lines. I've been told that one of my techs will need to execute something like 'ssh -p 6666 fred.com' because port 22 can only be forwarded once on the 5505 - even though the source IP of the seconds user is different. If true, this is the thing that amazes me.

I'm sure there will doubtless be better ways to achieve the scenario I've described but I want to confirm this particular point because I have many other scenarios that relied on this functionality in my previous (smoothwall) installation.

Happy New Year from Australia by the way !

Jack

Hi,

So only a single public IP address but need to forward port TCP/22 to 2 different local machines depending on the source IP address?

I could perhaps lab this setup when I am at home. Can you let me know your ASA software version so I can test the thing on the right software. As you can see theres been a big change between ASA softwares 8.2(and below) and 8.3(and above) versions.

But in general I would have to say that personally I have always used a different port thats facing to public network. Problematic I know, but to be honest we dont configure that many Port Forwards for customers.

But as I said, let me know the software level of your ASA and perhaps I could lab this setup and see what the ASA things about the configuration. I guess there might be an option to do this with Policy NAT of some type.

Happy New Year from Finland also. (Well not yet )

- Jouni

Oh well,

You learn something new once in a while.

I got the mentioned setup working on my home ASA 5505 running software 8.4(3) (New NAT Format)

For my testing purposes I used UltraVNC service (remote desktop applcation) and installed it on 2 of my home computers.

I made NAT configurations using identical Public/Local TCP Port (TCP/5900) but with different destination/remote IP address from where I would be connecting from. And ofcourse source/local IP address are different also.

I connect to my company network with my work laptop and tested the connection from 2 different servers and connect worked at the sametime. (Good thing about working for your own ISP is that atleast you got some resources for this kind of testing )

So let me know your ASA software level so I know if the configurations I made would help you.

On a side note. You might run into other problems by using SSH and using the ASA "outside" IP address for Port Forwarding. This is because ASA uses the "outside" interface IP address with destination TCP/22 to "catch" SSH management connections to the ASA. It might be possible that if you disable SSH management from public network directly (or all together), you could then use the TCP/22 port for the situation you mention in your posts.

- Jouni

Hi Jouni,

Sorry for the delay in replying. It certainly appears that you have correctly understood my problem and better still, it's sounding like all is not lost ! As requested, my ASA  firmware version is 8.2(5) and the Device Manager is 6.4(5).

Thanks for the warning regarding SSH but in actual fact, it's not SSH I'm most uinterested in using but rather RDP. In my previous smoothwall setup, I allowed a number of different users to RDP directly to fred.com and have the firewall connect them to specific (different) internal machines. All they had to do was type "mstsc fred.com" and their (static) source IP (in internet space) was all I needed to then determine where they should connect. Having to issue unique port numbers to each user when I could already know from their source addresses where they should connect seemed at the very least inconvenient and - dare I say as a lowly novice - an ugly and unnecessary requirement I just wanted to have the same, simple connection rule for all external users and leave the cleverness up to the firewall.

Do you think I need to upgrade my firmware before I tell my firewall support guy that what I want is possible or is it still possible using 8.2 ? If so (or if not for that matter!), could you possibly provide me with the relevant config details to guide him in the right direction ?

Thanks very much for your help,

Jack.

Hi,

It seems that I couldnt configure this with the older 8 series software. So I would imagine you have to have atleast 8.3 software level or 8.4(3) to be exactly the same as my setup

The configuration for my test setup was (with changed IPs)

object network SOURCE1

host 1.2.3.4

object network SOURCE2

host 5.6.7.8

object network SERVER1

host 10.10.10.10

object network SERVER2

host 10.10.10.20

object service VNC

service tcp source eq 5900

nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC

nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC

access-list WAN-IN extended permit tcp object SOURCE1 object SERVER1 eq 5900

access-list WAN-IN extended permit tcp object SOURCE2 object SERVER2 eq 5900

access-group WAN-IN in interface WAN

Where

• SOURCE1 / SOURCE2  = contains the users public source IP address
• SERVER1 / SERVER2 = contains the servers local IP address to which SOURCE1/SOURCE2 is connecting to
• VNC = contains the service that is to be forwarded
• LAN = is my "inside" interface
• WAN = is my "outside" interface
• WAN-IN = is my "outside" inbound ACL

The above NAT commands basically state that

• Translation will happen between LAN and WAN interface
• The SERVER1 / SERVER2 will be translated to the WAN interface IP address ("interface" parameter) when the other end of the connection is SOURCE1 / SOURCE2 and the service used is TCP/5900 (both mapped and real service is TCP/5900)

Sadly my naming of the objects dont quite match the logic of the NAT commands You can easily choose a naming policy that will make it more clearer to you though.

Do notice that compared to your current software, if you move to the 8.3 and above the NAT configuration format will be changed completely. Also because the NAT changes you will see that traffic that is allowed in the ACL that is attached to the "outside" interface will be destined to the LOCAL IP address of the hosts and not the NAT IP address like with software 8.2 and below.

Hopefully the above informaiton has been helpfull. Please do rate the answers if you have found the information helpfull Dont think I've ever written so much in a single discussion than this. But seems I've also found out something about the new/old NAT format in the process.

- Jouni

EDIT: Changed the ACLs to use the SOURCE objects instead of "host x.x.x.x"

Hi Jouni,

I'm sorry it ended up being such a longwinded exchange. I've just rated you extremely helpful if that's any consolation

I'll have a chat with my guy and we'll hopefully be pressing the "Correct Answer" button shortly.

Thank you so much for all you prompt and thorough assistance.... New Year's Day and all !

Best Regards,

Jack.

P.S. I'm aware that the user Experience changes with 8.4 because I've been told it's a bit more Juniper-like in places. Actually, after having previously experienced wading my way through the tedious jungle that is the Juniper SRX-80's user interface (if that's what you dare call it), this is one of the reasons why we avoided upgrading our factory 8.2 5505 !!

Thank you for the rating,

I would like to still point out that I have only tested this setup for briefly. I'm not sure how it will handle in actual use. I personally just tested that I was able to connect to both hosts from both source at the same time.

I generally avoid these type of setups so thats why I'm not sure how it will work out or if there might be problems further down the road as the ASA gets addiotional NAT configurations (Though my own ASA had all the basic configurations including this test and didnt notice anything wierd)

Also as a sidenote. The ASA does give out a warning message that theres is now an overlapping NAT configuration on the firewall (8.0 software on my firewall both gave a warning of overlap and rejected the NAT configuration that I tried for that software level). This however doesnt stop the configuration being accepted and seemingly working. Might have to test this abit more when I get back to work.

- Jouni