Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
2
Replies

Portforwarding on ASA5510 (static problems)

thedstrom
Level 1
Level 1

‎11-07-2006 07:24 AM - edited ‎03-09-2019 04:47 PM

Hi

Does anyone have a solution for this problem?

Background:

We have two DMZ's with servers using public ip-address ranges. On our old linux-based firewall we use one of these public ip-addresses for portforwarding (different ports) to two different hosts, one on each dmz.

When I tried it on a Cisco Pix running software version 6.3 in a lab environment it work perfect but when I copied the lines to our new ASA 5510, running 7.2(1) it complains about conflicting static lines.

The config:

access-list extended Portforwarding6500 permit tcp object-group PublicServer1 650 any

access-list extended Portforwarding6600 permit tcp object-group PublicServer2 660 any

static (DMZ1,Outside) tcp 10.10.10.10 6500 access-list Portforwarding6500

static (DMZ2,Outside) tcp 10.10.10.10 6600 access-list Portforwarding6600

static (DMZ1,Outside) 10.10.10.17 10.10.10.17 255.255.255.224

static (DMZ2,Outside) 10.10.10.1 10.10.10.14 255.255.255.240

Torbjorn Hedstrom

Sweden

Labels:
0 Helpful
2 Replies 2

Roble Mumin
Level 3
Level 3

‎11-07-2006 08:10 AM

If i get it right you just want to PAT two different Servers to one or two addressable ip's.

Something like this?

DMZ Server 1: 10.10.10.1:80 -> public:80

DMZ Server 2: 10.10.20.1:80 -> public:8080

Anyhow try it the following way.

access-list FromOutside remark ***Outside Access-Definition***

access-list FromOutside extended permit tcp any host eq 650

access-list FromOutside extended permit tcp any host eq 660

! bind the access-list on you're outside interface

access-group FromOutside in interface

! PAT server1 with port 6500 from dmz1 to the outside ip with port 650

! PAT server2 with port 6600 from dmz2 to the outside ip with port 660

static (DMZ1,Outside) tcp 650 6500 netmask 255.255.255.255

static (DMZ2,Outside) tcp 660 6600 netmask 255.255.255.255

You should end up with two addressable ports.

:650 and :660.

0 Helpful

thedstrom
Level 1
Level 1
In response to Roble Mumin

‎11-07-2006 11:22 PM

Yes, that's the way I want it, preferably by using only one public ip for both ports but neither the Pix or the ASA will let me do that with ordanary static lines like that, it starts complaining about "WARNING: mapped-address conflict with existing static". (Actually, that seems to be related to having the machines on different interface, just now when I tried it I wrote the second static line to be on DMZ1 as well and it didn't complain, so I guess I'll just have to use two public ip's for this)

But then the next problem arise, as the hosts on the DMZ's have public ip's I have to tell the ASA not to NAT the ordinary DMZ traffic, either by a NAT 0 command or with static lines as in my fist post and then it starts to complain again with the same error (WARNING: real-address conflict with existing static)

Torbjorn

0 Helpful
Customers Also Viewed These Support Documents