ASA Policy Nat
jovan88
Member Posts: 393
OK guys I'm trying to get into ASAs as I'm more of a Checkpoint man, I'm trying to get a NAT rule up and running, it shouldn't be too tough.
I have an ASA with 1 public IP address running PAT, HostA and HostB are out on the internet and the webservers are inside the LAN
if HostA hits outside on http, port forward to webserverA
if HostB hits outside on http, port forward to webserverB
Now it seems like that shouldn't be a tough thing to accomplish, but the ASDM isn't making it as clear as other firewalls.
If anyone can give me a hand or even direct me to some cisco docs that would be great
I have an ASA with 1 public IP address running PAT, HostA and HostB are out on the internet and the webservers are inside the LAN
if HostA hits outside on http, port forward to webserverA
if HostB hits outside on http, port forward to webserverB
Now it seems like that shouldn't be a tough thing to accomplish, but the ASDM isn't making it as clear as other firewalls.
If anyone can give me a hand or even direct me to some cisco docs that would be great
Comments
-
jovan88 Member Posts: 393Looks like I can't do it unless I change the port numbers, for example
if HostA hits outside on 80, port forward to webserverA
if HostB hits outside on 8080, port forward to webserverB
If that is the case, thats very dissapointing, especially because some low end firewalls can do this with no problem.
Combining that with the fact that you can't do policy based routing - blehh -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Just curious, what version of ASA os are you using?
-
ColbyG Member Posts: 1,264I'm not too great with ASAs, but something like this should/might work:
Edit: Nevermind. I was thinking about it wrong. Lemme think some more, lol. -
ColbyG Member Posts: 1,264Okay, second attempt. Again, not an ASA guru, but I think this would work:
WebserverA = 192.168.1.10 WebserverB = 192.168.1.20 HostA = 1.1.1.1 HostB = 1.1.1.2 access-list ACL_HostA-To-WWW permit tcp host 1.1.1.1 any eq 80 static (inside,outside) 192.168.1.10 access-list ACL_HostA-To-WWW access-list ACL_HostB-To-WWW permit tcp host 1.1.1.2 any eq 80 static (inside,outside) 192.168.1.20 access-list ACL_HostB-To-WWW
See if that does it. -
jovan88 Member Posts: 393thanks for your help, unforunately the ASA gave me a big middle finger:
ERROR: Protocol mismatch between the static and access-list
seems you can't define ports in the ACL? bah
after some Googling - looks like it can't be done:
ASA - Source Based Static -
instant000 Member Posts: 1,745Let me take a stab at this one: (source links below)
example config:
partner1 = 10.10.10.10
partner2 = 20.20.20.20
your public ip = 55.55.55.55
your internal server1= 51.51.51.51 (the server partner 1 hits)
your internal server2= 52.52.52.52 (the server partner 2 hits)
access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55
static (outside,inside) tcp 51.51.51.51 80 access-list partner1
static (outside,inside) tcp 52.52.52.52 80 access-list partner2
Source:
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Static NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
For a configuration example from the learning network:
https://learningnetwork.cisco.com/message/91237
(note post number EIGHT ... smilies are vicious here ... 8 8
Let me know if this works for you. Would be disappointed if it did not. (Note: I've not progressed to this in my studies yet, but it would be wonderful to have this one figured out already.)
Hope this helps!Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
instant000 Member Posts: 1,745and to clarify, the source of the protocol mismatch is that the ACL was for "tcp" but the static was for "ip" (as default) By specifying the static for "tcp, port 80) that should help the issue.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
ColbyG Member Posts: 1,264instant000 wrote: »Let me take a stab at this one: (source links below)
example config:
partner1 = 10.10.10.10
partner2 = 20.20.20.20
your public ip = 55.55.55.55
your internal server1= 51.51.51.51 (the server partner 1 hits)
your internal server2= 52.52.52.52 (the server partner 2 hits)
access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55
static (outside,inside) tcp 51.51.51.51 80 access-list partner1
static (outside,inside) tcp 52.52.52.52 80 access-list partner2
I was toying around with this idea as well. The issue I see is that the ASA won't let you specify the destination port in the ACL/NAT, only the source port, which we can't predict. Your ACL is specifying the source port of TCP 80, but that should be the destination port, no?
So isn't your ACL/NAT saying, if you're coming in the outside interface from 10.10.10.10 with a source port of TCP 80, going to 55.55.55.55 with a destination port of ANY, DNAT to 51.51.51.51 TCP 80?
I might be interpreting this wrong, but this is the impression I got when I was digging through it earlier today. I'll try labbing it later and see if it works. -
instant000 Member Posts: 1,745Hrm.
I pasted the commands into the config, and they were accepted, but they weren't checked to see if they actually functioned, and yes, the first port in the ACL would reference the source port.
Maybe you could just use a permit ip access-list, instead of a permit tcp one ...
hrm, but this idea to change it to only an ip access-list wouldn't work, though, if the outside partners had to connect to more than one internal IP at your area.
==============
I looked at this for a couple hours last night, and just looking at it, it doesn't make sense to me, either.
I do know that the ASA at least accepts it (but how well it works) wouldn't know, without generating traffic over port 80 to that address, from the differing sources.
This is all I have now.
I interpret it as allowing http requests from 10.10.10.10 directed at 55.55.55.55 to instead be translated to port 80 requests on tcp to 51.51.51.51.
I hope that's how it's working, otherwise, this won't help you, if it's just referencing source port.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
instant000 Member Posts: 1,745I found this in the command reference .....try this out (seems I was making the ACL backwards, try this ...)
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the adaptive security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
source: Cisco ASA 5500 Series Command Reference, 8.2 - shun -- sysopt radius ignore-secret [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco SystemsCurrently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
unclerico Member Posts: 237 ■■■■□□□□□□Try upgrading to 8.3 or later. If I remember correctly this functionality is included.Preparing for CCIE Written
-
unclerico Member Posts: 237 ■■■■□□□□□□Many-to-1 NAT
Netl33ts: Static many-to-one nats on a Cisco ASAPreparing for CCIE Written