09-28-2010 07:56 AM - edited 03-03-2019 06:04 AM
Hi,
Can you do DMZ and NAT/PAT with a single public IP address on ASA5520? I have uplink in PPPoE and has only one public ip address. Would like to put anti-spam(eg. A.B.C.44) in the DMZ and there are a number of servers(eg. X.Y.Z.1, X.Y.Z.2 and X.Y.Z.3) that I want to NAT/PAT. Could someone please suggest how it should be implemented?
Two site-to-site IPSec tunnels have also been configured on this ASA.
Thanks to everyone in advance for your knowledge sharing.
regards,
Lay
09-28-2010 12:17 PM
Lay,
You can do it. You need to configure what is called static NAT port translations.
For example lets say your public IP is 69.222.73.50
static (dmz,outside) tcp 69.222.73.50 25 A.B.C.44 25 netmask 255.255.255.255
! This static NAT port translation allows SMTP from the outside to your anti-spam server in the DMZ.
static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255
static (inside,outside) tcp 69.222.73.50 443 X.Y.Z.2 443 netmask 255.255.255.255
! Here we create a couple of static NAT port translations to allow HTTP to one server and HTTPS to another.
There is always a gotcha. You cannot reuse multiple ports in use. For example it is forbidden to have these two statements together.
static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255
static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.2 80 netmask 255.255.255.255
! We are using port 80 on the outside and translating to two internal servers. This is not allowed. You can use one of them but not both.
There is a "work around". You can translate one port to another.
static (inside,outside) tcp 69.222.73.50 80 X.Y.Z.1 80 netmask 255.255.255.255
static (inside,outside) tcp 69.222.73.50 8080 X.Y.Z.2 80 netmask 255.255.255.255
! In your web browser you would have to have http://69.222.73.50:8080
Hope it helps
09-28-2010 04:20 PM
Really appreciate for your help, Collin. Would I be able to continue my ADSM management (https) from "inside" interface? Last time, i was no longer able to do that until I undo that nat statement for DMZ. My statement might be not correct in some how. Will do and let you know.
Regards.
Lay
09-29-2010 06:29 AM
You should not lose your ASDM access, especially on the DMZ nat.
10-07-2010 07:07 AM
Hi Collin,
Thanks again for your time. I have managed put anti-spam server in DMZ and web server / mail server in inside network. They work correctly with NAT and PAT so is VPN. But I am having access denied for ssh connection. I can't ssh into the box from inside and dmz although I have following:
ASA Version 8.3(1)
ASA(config)#crypto key generate rsa modulus 1024
ASA(config)#wr
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
I was prompted to enter username and password but keep getting access denied. Could you please advise me with this ssh issue?
Regards,
Lay
10-08-2010 07:55 AM
Hi Collin
Please be informed that I have got SSH access after issuing following:
ASA(config)#aaa authentication ssh console LOCAL
Before issuing the above command, SSH can only be accessed with user "asa" which I cannot find anywhere in the configuration.
Anyway, thanks a lot for your sharing.
Regards,
Lay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide