cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Video: ASA port forwarding for DMZ server access (versions 8.3 and 8.4)

6489
Views
20
Helpful
5
Comments
mirober2
Cisco Employee

When setting up a new ASA, a very common task is to use port forwarding (static PAT) to allow access to a server on the private network. In the videos below, I'll take you through all of the steps required to configure this solution in the new syntax style of ASA 8.3 and 8.4.

The videos are broken up into ASDM and CLI versions, so you can follow along with the management method you are most comfortable with.

CLI

ASDM

5 Comments
Tang-Suan Tan
Beginner

Hi Mirober2 :

I tried to save the 2 videos but cannot make it.

Can you or anyone provide the link for the downloading? Thanks!

Good Video on Nat!!!

sideshowtodd
Beginner

Hi Mirober2,

Great  videos, very easy to follow. Following those steps, would forwarding ports 80 and 443 off to an internal web-server prevent the ASA from handling WebVPN connections to the outside interface since the ports are redirected?

mirober2
Cisco Employee

Hi sideshowtodd,

Yes, you are correct. The ASA would not be able to differentiate between TCP/443 connections to the internal server or the outside interface since they use the same public IP address and port. In fact, the ASA will not let you configure port forwarding on TCP/443 if you already have the HTTP server (i.e. ASDM) or WebVPN enabled on that interface.

The solutions in that case would be to:

a) Use different ports for WebVPN/ASDM:

     webvpn

        port 8443

or

b) Use a different port in your NAT statement. For example:

object network web-server

    nat (dmz,outside) static interface service tcp 443 4443

With this configuration, if users connect to the outside interface IP address on port 4443, the ASA will re-write the packet and send it to the server on port 443. Otherwise, if they connect to the outside interface IP on port 443, they will reach the WebVPN portal/ASDM.

Hope that helps.

-Mike

mirober2
Cisco Employee

Hi Tang-Suan Tan,

I don't believe the Cisco Support Community offers a download link for these videos, but you can bookmark the following permanent link:

https://supportforums.cisco.com/docs/DOC-17347

Hope that helps.

-Mike

Content for Community-Ad