11-04-2011 09:20 PM - edited 03-04-2019 02:10 PM
Here is my situation and limitation. I have two internal devices (web servers) that listen on port 8080, but I only have one Public IP address. I have port 8080 forwarded to the first internal device and it's working fine. I've tried to forward port 8081 to port 8080 on the second internal device and I can't get it to work. I've tried to swap the port from 8081 to 8080 on the 2nd access-list, but still no success. Any help would be appreciated.
Thanks.
See the short config below. I can post the full config if needed, but it's over 400 lines. BTW, I'm also using ZBF.
#### Current Config for first internal device 'hvac 10.10.101.20'. This part works fine.
!
ip port-map user-hvac port tcp 8080
!
class-map type inspect match-all cmap-hvac
match access-group 111
match protocol user-hvac
!
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect cmap-hvac
inspect
class class-default
drop log
!
ip nat inside source static tcp 10.10.101.20 8080 xxx.xxx.xxx.xxx 8080 extendable
!
access-list 111 permit tcp any host 10.10.101.20 eq 8080
!
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
______________________
#### Added Config for second internal device 'hvac1 10.10.101.21'.
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
no service-policy type inspect sdm-pol-NATOutsideToInside-1
!
ip port-map user-hvac1 port tcp 8081
!
class-map type inspect match-all cmap-hvac1
match access-group 112
match protocol user-hvac1
!
no policy-map type inspect sdm-pol-NATOutsideToInside-1
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect cmap-hvac
inspect
class type inspect cmap-hvac1
inspect
class class-default
drop log
!
ip nat inside source static tcp 10.10.101.21 8080 xxx.xxx.xxx.xxx 8081 extendable
!
access-list 112 permit tcp any host 10.10.101.21 eq 8081
!
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
11-07-2011 04:32 AM
I got it. I had to modify the second class-map to support both user defined protocols.
class-map type inspect match-all cmap-hvac1
match protocol user-hvac
match protocol user-hvac1
class-map type inspect match-all cmap-hvac1-acl
match access-group 112
match class-map cmap-hvac1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide