cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2216
Views
0
Helpful
5
Replies

Using Outside interface to connect to multiple machines inside

tgnovak
Level 1
Level 1

I have been working on a configuration for single IP address (on outside ) of ASA5505

I am trying to utilize the outside address 192.168.0.249 to PAT/NAPT to 10 inside machines

192.168.0.204:2180 ->192.168.111.10:21379

192.168.0.204:2181 ->192.168.111.11:21379

192.168.0.204:2182 ->192.168.111.12:21379

192.168.0.204:2183 ->192.168.111.13:21379

192.168.0.204:2184 ->192.168.111.14:21379

192.168.0.204:2185 ->192.168.111.15:21379

192.168.0.204:2186 ->192.168.111.16:21379

192.168.0.204:2187 ->192.168.111.17:21379

192.168.0.204:2188 ->192.168.111.18:21379

192.168.0.204:2189 ->192.168.111.19:21379

192.168.0.204:2190 ->192.168.111.20:21379

I have createdd acces-list

access-list outside_access_in extended permit tcp any host 192.168.111.10 eq 21380

access-list outside_access_in extended permit tcp any host 192.168.111.11 eq 21381

access-list outside_access_in extended permit tcp any host 192.168.111.12 eq 21382

access-list outside_access_in extended permit tcp any host 192.168.111.13 eq 21383

access-list outside_access_in extended permit tcp any host 192.168.111.14 eq 21384

access-list outside_access_in extended permit tcp any host 192.168.111.15 eq 21385

access-list outside_access_in extended permit tcp any host 192.168.111.16 eq 21386

access-list outside_access_in extended permit tcp any host 192.168.111.17 eq 21387

access-list outside_access_in extended permit tcp any host 192.168.111.18 eq 21388

object network ispec10

nat (inside,outside) static interface service tcp 21380 21379

object network ispec11

nat (inside,outside) static interface service tcp 21381 21379

object network ispec12

nat (inside,outside) static interface service tcp 21382 21379

object network ispec13

nat (inside,outside) static interface service tcp 21383 21379

object network ispec14

nat (inside,outside) static interface service tcp 21384 21379

object network ispec15

nat (inside,outside) static interface service tcp 21385 21379

object network ispec16

nat (inside,outside) static interface service tcp 21386 21379

object network ispec17

nat (inside,outside) static interface service tcp 21387 21379

object network ispec18

nat (inside,outside) static interface service tcp 21388 21379

object network ispec19

nat (inside,outside) static interface service tcp 21389 21379

object network ispec20

nat (inside,outside) static interface service tcp 21390 21379

What I am not sure of (actually that could be considered all encompassing) is the mapped services/real services

Any constructive comments assistance?

2 Accepted Solutions

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hello,

Your configuration is close, but you should swap the real and mapped ports. For example:

object network ispec10

   nat (inside,outside) static interface service tcp 21379 21380

You can confirm this with the packet-tracer output:

packet-tracer in outside tcp 1.2.3.4 12345 192.168.0.204 21380

When you run that command, you should see that the IP of the server is untranslated from 192.168.0.204:21380 to 192.168.111.10:21379

Hope that helps.

-Mike

View solution in original post

tgnovak-

I'm not sure why your reply states as such. The script above will work. I built out an environment (which is now production), which is exactly what your asking. If you look at the 'sh xlate' output above, it clearly show PAT from a single outside IP to 4 internal IP's. What I posted is indeed your solution. Thanks.

View solution in original post

5 Replies 5

mirober2
Cisco Employee
Cisco Employee

Hello,

Your configuration is close, but you should swap the real and mapped ports. For example:

object network ispec10

   nat (inside,outside) static interface service tcp 21379 21380

You can confirm this with the packet-tracer output:

packet-tracer in outside tcp 1.2.3.4 12345 192.168.0.204 21380

When you run that command, you should see that the IP of the server is untranslated from 192.168.0.204:21380 to 192.168.111.10:21379

Hope that helps.

-Mike

Thanks for the response. That reaffirms my later findings

I made those changes and tested with packet-trace.  It was just late to repost to supportforum

Sorry for my lack of followup 

Thanks Once again

-Thomas

Hi-

What exactly are you trying to accomplish with this solution. I'm assuming your trying to load balance here. Please see the script below, as should solve your problem. Also below that you will find the 'sh xlate' output from my test unit. I only did 4 hosts, so you will have to do the rest, but let me know how this works out. Thanks.

!---start

!

!-below is the ACL bound to the outside 'public' interface

access-list outside-to-inside extended permit tcp any host 192.168.0.204 eq 2180

access-list outside-to-inside extended permit tcp any host 192.168.0.204 eq 2181

access-list outside-to-inside extended permit tcp any host 192.168.0.204 eq 2182

access-list outside-to-inside extended permit tcp any host 192.168.0.204 eq 2183

!

!-ACL that will be referenced by the static PAT statements

access-list pat-acl-1a extended permit tcp host 192.168.111.10 eq 21379 any

access-list pat-acl-1b extended permit tcp host 192.168.111.11 eq 21379 any

access-list pat-acl-1c extended permit tcp host 192.168.111.12 eq 21379 any

access-list pat-acl-1d extended permit tcp host 192.168.111.13 eq 21379 any

!

!-below are the static PAT statements referencing the above ACL

static (inside,outside) tcp interface 2180 access-list pat-acl-1a

static (inside,outside) tcp interface 2181 access-list pat-acl-1b

static (inside,outside) tcp interface 2182 access-list pat-acl-1c

static (inside,outside) tcp interface 2183 access-list pat-acl-1d

!

!---end

!---output of translation table after applied (ie. show xlate)

ciscoasa(config)# sh xlate

4 in use, 4 most used

PAT Global 192.168.0.204(2180) Local 192.168.111.10(21379)

PAT Global 192.168.0.204(2181) Local 192.168.111.11(21379)

PAT Global 192.168.0.204(2182) Local 192.168.111.12(21379)

PAT Global 192.168.0.204(2183) Local 192.168.111.13(21379)

ciscoasa(config)#

Jean

It was not load balancing.

Customer has 11 internal machine that they collect data from and restricts me to one external address.

They use the OPC standard (DCOM) for communication.

There is a OPC tunnel deployed to transit the firewall (uses port 21379 on internal machines)

The requirement is to use only one external IP address (outside interface) to inside machines .

-Thomas

tgnovak-

I'm not sure why your reply states as such. The script above will work. I built out an environment (which is now production), which is exactly what your asking. If you look at the 'sh xlate' output above, it clearly show PAT from a single outside IP to 4 internal IP's. What I posted is indeed your solution. Thanks.

Review Cisco Networking for a $25 gift card